Server-Side Request Forgery in Strands Agents by Strands
CVE-2026-15746

6.9MEDIUM

Key Information:

Vendor

Amazon

Vendor
CVE Published:
15 July 2026

What is CVE-2026-15746?

The Strands Agents utilizing the elasticsearch_memory tool suffer from a server-side request forgery (SSRF) vulnerability. This flaw allows an attacker to manipulate connection parameters, potentially leaking sensitive information such as the Elasticsearch API key to unauthorized hosts. When the api_key parameter is omitted, the tool defaults to using the operator's ELASTICSEARCH_API_KEY environment variable, leading to further risks. Users are strongly advised to upgrade to version 0.7.0 or later of strands-agents-tools to mitigate this issue and should also consider rotating their API keys as a safety measure.

Affected Version(s)

strands-agents-tools 0 < 0.7.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.