Bulletin ID: 2026-041-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/10/2026 10:45 AM PDT

Description:

AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. We identified CVE-2026-11417, an OS command injection issue in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) that may allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the actor to control the value of one or more of the affected bundling properties in the CDK application.

Impacted versions: < 2.245.0 (on Windows, < 2.246.0)

Resolution:

This issue has been addressed in aws-cdk-lib version 2.245.0 (2.246.0 on Windows). We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

Ensure values passed to NodejsFunction bundling properties come only from trusted sources and audit third-party constructs and pull requests that set them. Upgrading to a fixed version is the recommended remediation.

References:

• CVE-2026-11417
• GHSA-999r-qq7v-r334

Acknowledgement:

We would like to thank the external reporter Hesham Ashraf who collaborated on this issue through the AWS Vulnerability Disclosure Program (coordinated vulnerability disclosure process).

Please email aws-security@amazon.com with any security questions or concerns.