Bulletin ID: 2026-044-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/17/2026 14:15 PM PDT

Description:

The AWS Bedrock AgentCore Python SDK (bedrock-agentcore) is an open-source SDK that enables developers to build, deploy, and manage agents on AWS Bedrock AgentCore. We identified CVE-2026-12530, an issue in the install_packages() method of the Code Interpreter client. The method applied an incomplete blocklist to sanitize package name arguments before constructing a 'pip install' shell command executed within the Code Interpreter sandbox. This allowed crafted package name arguments to bypass validation - most critically, pip's '--index-url' flag, which could redirect package resolution to an third-party-controlled PyPI server, and the '-r' flag, which could read and expose arbitrary sandbox files.

Impacted versions: AWS Bedrock AgentCore Python SDK (bedrock-agentcore) versions >= 1.1.3 and < 1.6.1

Resolution:

This issue has been addressed in bedrock-agentcore version 1.6.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

If you are unable to upgrade immediately, avoid passing any user-supplied or externally-influenced strings directly to install_packages(). Restrict calls to a fixed, hardcoded list of approved package names within your application code.

References:

• CVE-2026-12530
• GHSA-6rfw-mq36-jm8h

Acknowledgement:

We would like to thank Sergio Garcia for collaborating on this issue through the coordinated vulnerability disclosure process.

Please email aws-security@amazon.com with any security questions or concerns.