Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib

0
Low
VulnerabilityCVE-2026-13760rce
Published: 07/01/2026 (07/01/2026, 19:09:41 UTC)
Source: AWS Security Bulletins

Description

Bulletin ID: 2026-050-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/01/2026 12:15 PM PDT Description: AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. We identified CVE-2026-13760, an OS command injection issue in the NodejsFunction Docker bundling pipeline in aws-cdk-lib before 2.260.0 that could allow an actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. Impacted versions: < 2.260.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Affected software

aws-cdk-lib
pkg:npm/aws-cdk-lib
Affected versions
<2.260.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/01/2026, 19:18:42 UTC

Technical Analysis

AWS CDK (aws-cdk-lib) versions prior to 2.260.0 contain an OS command injection vulnerability in the NodejsFunction Docker bundling pipeline. An attacker controlling dependency version strings in package.json can inject shell metacharacters, leading to arbitrary command execution on the host running the CDK toolchain. This vulnerability requires the use of Docker-based bundling with nodeModules specified. The issue is resolved in version 2.260.0. Mitigations include upgrading to 2.260.0 or later, using only trusted sources for dependency versions, or using local bundling instead of Docker-based bundling to avoid the vulnerable code path.

Potential Impact

An attacker who can control dependency version strings in a package.json file processed during Docker-based bundling can execute arbitrary OS commands on the host running the AWS CDK toolchain. This could lead to unauthorized code execution and potential compromise of the build environment. The impact is limited to environments using vulnerable aws-cdk-lib versions with Docker-based bundling and nodeModules specified.

Mitigation Recommendations

A fix is available in aws-cdk-lib version 2.260.0; upgrading to this version or later is the recommended remediation. As a workaround, ensure that all modules and their version strings in package.json come from trusted sources. Alternatively, use local bundling instead of Docker-based bundling to avoid the vulnerable code path. Follow the official AWS Security Bulletin for the latest guidance.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://aws.amazon.com/security/security-bulletins/rss/2026-050-aws/","fetched":true,"fetchedAt":"2026-07-01T19:18:35.899Z","wordCount":261}

Threat ID: 6a45680b27e9c79719fce598

Added to database: 07/01/2026, 19:18:35 UTC

Last enriched: 07/01/2026, 19:18:42 UTC

Last updated: 07/01/2026, 23:11:25 UTC

Views: 21

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses