OS Command Injection in AWS CDK Toolchain Affecting AWS
CVE-2026-11417

7HIGH

Key Information:

Vendor

Aws

Vendor
CVE Published:
10 June 2026

What is CVE-2026-11417?

An OS command injection vulnerability exists in the NodejsFunction local bundling pipeline of aws-cdk-lib prior to version 2.245.0, and versions prior to 2.246.0 on Windows. This flaw can be exploited by an attacker who manipulates the values of specific bundling properties—such as externalModules, define, loader, inject, or esbuildArgs—to execute arbitrary commands on the host running the AWS CDK toolchain. To mitigate this risk, it is crucial for users to update to aws-cdk-lib 2.245.0 or newer (2.246.0 or newer on Windows).

Affected Version(s)

AWS Cloud Development Kit library 0 < 2.245.0

References

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.