Bulletin ID: 2026-024-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 04/30/2026 11:45 AM PDT
 

Description:

Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. The Amazon ECS agent supports mounting FSx for Windows File Server volumes in task definitions on Windows EC2 instances. We identified CVE-2026-7461, a command injection issue in FSx volume mounting that enables code execution with SYSTEM privileges via a specially crafted credentials in ECS task definitions.

Impacted versions: Version 1.47.0 through 1.102.2 of the ECS Agent for Windows

Resolution:

This issue only impacts ECS Windows worker instances. ECS on Fargate is not affected. This issue has been addressed in ECS agent version 1.103.0. We recommend upgrading to the latest Amazon ECS-optimized Windows AMI with an updated ECS agent version.

Workarounds:

Customers who cannot update to the latest AMI can restrict ecs:RegisterTaskDefinition permissions to trusted IAM principals only and restrict write access to Secrets Manager secrets referenced in FSx volume configurations.

References:

• CVE-2026-7461

Acknowledgment:

We would like to thank Sachin Patil for collaborating on this issue through the coordinated vulnerability disclosure process.

Please email aws-security@amazon.com with any security questions or concerns.