Server-Side Request Forgery in Strands Agents by Strands
CVE-2026-15746
6.9MEDIUM
What is CVE-2026-15746?
The Strands Agents utilizing the elasticsearch_memory tool suffer from a server-side request forgery (SSRF) vulnerability. This flaw allows an attacker to manipulate connection parameters, potentially leaking sensitive information such as the Elasticsearch API key to unauthorized hosts. When the api_key parameter is omitted, the tool defaults to using the operator's ELASTICSEARCH_API_KEY environment variable, leading to further risks. Users are strongly advised to upgrade to version 0.7.0 or later of strands-agents-tools to mitigate this issue and should also consider rotating their API keys as a safety measure.
Affected Version(s)
strands-agents-tools 0 < 0.7.0
