CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-4269

unknowncovered by 1 sourcefirst seen 2026-06-05
Bulletin ID: 2026-008-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/16 11:15 AM PDT Description: A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. Impacted versions: All versions of Bedrock AgentCore Starter Toolkit versions before v0.1.13. This issue only affects users of the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not affected. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
Missing S3 ownership verification may allow a remote actor to inject code during the build process.
Who is affected
Users of Bedrock AgentCore Starter Toolkit versions before v0.1.13 who build the Toolkit after September 24, 2025.
Urgency
Remediation is critical to prevent code injection during the build process.
Action
Upgrade to Bedrock AgentCore Starter Toolkit version v0.1.13 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-4269

Get an email if CVE-2026-4269 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-4269

CVE.org record

Embed the live status

CVE-2026-4269 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-4269 status](https://www.csirts.com/badge/CVE-2026-4269)](https://www.csirts.com/cve/CVE-2026-4269)