Improper Input Handling in Amazon ECS Agent on Windows
CVE-2026-7461

7.5HIGH

Key Information:

Vendor: Aws
Status: Amazon Ecs Agent
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-7461?

The Amazon ECS Agent on Windows prior to version 1.103.0 contains an input handling vulnerability that could allow a remote authenticated attacker to execute shell commands with SYSTEM privileges. This vulnerability arises from inadequate neutralization of input used in OS command execution, specifically within the FSx Windows File Server volume mounting component. To exploit this issue, an attacker must have permissions to register ECS task definitions or write to the associated Secrets Manager or SSM Parameter Store. Users are urged to upgrade to version 1.103.0 to mitigate this vulnerability.

Affected Version(s)

Amazon ECS Agent Windows 1.47.0 <= 1.102.0

References

https://github.com/aws/amazon-ecs-agent/releases/tag/v1.1...

patch

https://aws.amazon.com/security/security-bulletins/2026-0...

vendor-advisory

https://github.com/aws/amazon-ecs-agent/security/advisori...

third-party-advisory

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Sachin Patil

CVE-2026-7461 Data

JSON

Aws

What is CVE-2026-7461?

Affected Version(s)

References

CVSS V4

Timeline

Credit