CVE-2026-11417

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.3 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H                                    

Vulnerability Description

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application.

To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

Vulnerability Details

Published Date

June 10, 2026

Last Modified

June 10, 2026

CWE ID

CWE-78

Source

NVD

Vendor

AWS

Product

AWS Cloud Development Kit library

External References

https://aws.amazon.com/security/security-bulletins/2026-041-aws/
https://github.com/aws/aws-cdk/releases/tag/v2.245.0
https://github.com/aws/aws-cdk/security/advisories/GHSA-999r-qq7v-r334

CVE-2026-11417

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment