Skip to main content

CVE-2026-11393 - Code Injection via Improper Triple-Quote Escaping in AgentCore CLI Bedrock Agent Import

Bulletin ID: 2026-040-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/08/2026 11:45 AM PDT

Description:

The AWS AgentCore CLI (@aws/agentcore) is a developer tool for managing agent infrastructure lifecycle on Amazon Bedrock AgentCore. We identified CVE-2026-11393 in which improper neutralization of triple-quote characters during Python code generation may allow an authenticated user in the same AWS account to inject arbitrary Python code into the source file generated by the "agentcore add agent --type import" command.

Specifically, the collaborationInstruction field of a Bedrock Agent collaborator association was interpolated into a triple-quoted Python docstring using single-quote escaping rather than triple-quote escaping. A user with bedrock:AssociateAgentCollaborator IAM permission could craft a collaborationInstruction value containing """ to break out of the docstring boundary in the generated main.py of the imported agent. If that generated file was subsequently executed - either via agentcore dev on the developer's local machine, or via agentcore deploy followed by agentcore invoke in the AgentCore Runtime environment - the injected Python would run with the credentials available in that context.

Impacted versions:

  • @aws/agentcore >= 0.4.0 AND <= 0.14.1
  • preview versions >= 0.3.0-preview.7.0 and <= 1.0.0-preview.8

Resolution:

This issue has been addressed in @aws/agentcore version 0.14.2 and preview version 1.0.0-preview.9. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

  • GA versions:
    npm install -g @aws/agentcore@latest

  • Preview version:
    npm install -g @aws/agentcore@preview

Customers who previously imported a Bedrock supervisor agent using agentcore add agent --type import on an affected version should:

  1. Upgrade the CLI to v0.14.2 / 1.0.0-preview.9 or later.
  2. Remove the affected agent from your project "agentcore remove agent <name>"
  3. Re-run "agentcore add agent --type import" with the patched CLI to regenerate a clean main.py.
  4. Run "agentcore deploy --yes to" replace the deployed artifact on AWS.

Workarounds:

If an immediate upgrade is not possible, customers can manually inspect the generated main.py for any collaboratorInstruction values that contain """ sequences and replace them with \"\"\" before deploying or running the agent locally.

References:


Please email aws-security@amazon.com with any security questions or concerns.