OS Command Injection in AWS CDK Library Impacting Node.js Functions
CVE-2026-13760

7HIGH

Key Information:

Vendor

Aws

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-13760?

A critical vulnerability exists in the aws-cdk-lib that allows for OS command injection through the Node.js function Docker bundling pipeline. An attacker capable of manipulating the dependency version strings in a project's package.json can leverage this flaw to execute arbitrary commands on the host operating the AWS Cloud Development Kit (CDK) toolchain. This exploitation is made possible by injecting shell metacharacters into the OsCommand helper during Docker-based bundling. Users are urged to apply the patch provided in version 2.260.0 to mitigate the potential risks associated with this vulnerability.

Affected Version(s)

AWS CDK 0 < 2.260.0

References

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.