CVE-2026-9291 - Insecure Deserialization in Amazon Braket SDK Job Results Processing
Bulletin ID: 2026-036-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/22/2026 11:15 AM PDT Description: Amazon Braket SDK is an open-source Python library for interacting with the Amazon Braket quantum computing service, including managing hybrid quantum jobs and retrieving job results. We identified CVE-2026-9291, an insecure deserialization issue (CWE-502) in the job results processing component. The SDK's deserialize_values() function trusts the dataFormat field from an untrusted JSON file to control whether pickle.loads() is called on the data payload. A remote authenticated user with S3 write access to the job output bucket can modify the dataFormat field in results.json from PLAINTEXT to pickled_v4 and replace data values with executable payloads, achieving arbitrary code execution on any machine that processes job results. Impacted versions: >= 1.10.0 AND < 1.117.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- Insecure deserialization allows remote authenticated users to execute arbitrary code.
- Who is affected
- Authenticated users with S3 write access to the job output bucket in Amazon Braket SDK.
- Urgency
- Remediation is critical as it can lead to remote code execution.
- Action
- Upgrade to the latest version of Amazon Braket SDK.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Amazon Braket SDK
Get an email when a new Amazon Braket SDK advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-036-aws/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-92910.38% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 30% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-9291 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for - Insecure Deserialization
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-44795: Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026…nvd · 2026-07-10
- highGHSA-m8gf-v64p-gfmg: BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/c…ghsa · 2026-07-10
- highCVE-2026-54469: Dell Unisphere for PowerMax, version(s) 10.3.0.5 and prior, contain(s) a Deserialization of Un…nvd · 2026-07-10
- highCVE-2026-40454: Out-of-bounds Read, Improper Input Validation vulnerability in Apache IoTDB C++ client. Out-of…nvd · 2026-07-10
- highCVE-2026-12378: The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 …nvd · 2026-07-08
- highCVE-2026-43825: Untrusted Java Deserialization in Apache OpenNLP SvmDoccatModel Versions Affected: before 3.0.…nvd · 2026-07-06
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01