Insecure Deserialization Vulnerability in Amazon Braket SDK by AWS
CVE-2026-9291

7.5HIGH

Key Information:

Vendor

Aws

Status
Amazon Braket Python Sdk
Vendor
CVE Published:
22 May 2026

What is CVE-2026-9291?

A vulnerability exists in the job results processing component of the Amazon Braket SDK prior to version 1.117.0, where insecure deserialization could be exploited by a remote authenticated user who has S3 write access to the job output bucket. This may allow for arbitrary code execution on any machine that handles the processing of job results, posing a significant security risk. Users are strongly advised to upgrade to version 1.117.0 or later to mitigate this vulnerability.

Affected Version(s)

Amazon Braket Python SDK 1.10.0 < 1.117.0

References

https://github.com/amazon-braket/amazon-braket-sdk-python...
patch
https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/amazon-braket/amazon-braket-sdk-python...
third-party-advisory

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.