CVE-2026-15746: CWE-918 Server-Side request forgery (SSRF) in Amazon strands-agents-tools
Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearch_memory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery (SSRF) issue in the elasticsearch_memory tool. The tool exposed its connection parameters (es_url, cloud_id, api_key) as fields the large language model (LLM) could control through the tool schema. When a caller omitted the api_key parameter, the tool fell back to the operator's ELASTICSEARCH_API_KEY environment variable and sent it to whichever host the LLM specified. A crafted prompt could cause the tool to connect to a threat-actor-controlled server and disclose the operator's Elasticsearch API key in the Authorization header. We recommend you upgrade to strands-agents-tools version 0.7.0 or later. As a precautionary measure, we recommend all operators rotate their ELASTICSEARCH_API_KEY, even if there is no indication the credential was exposed.
AI Analysis
Technical Summary
The strands-agents-tools package includes an elasticsearch_memory tool that allows an LLM to control certain connection parameters, including es_url, cloud_id, and api_key. If the api_key parameter is not provided by the caller, the tool falls back to using the operator's ELASTICSEARCH_API_KEY environment variable. This behavior enables a crafted prompt to cause the tool to send the operator's Elasticsearch API key in the Authorization header to an attacker-controlled host, resulting in a server-side request forgery (SSRF) vulnerability (CWE-918). The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity. The vendor advisory recommends upgrading to version 0.7.0 or later and rotating the API key as a precaution. The vendor advisory URL is https://aws.amazon.com/security/security-bulletins/2026-056-aws/. No explicit remediation level or patch availability is stated in the advisory.
Potential Impact
An attacker who can influence the large language model input can exploit this vulnerability to cause the elasticsearch_memory tool to send the operator's Elasticsearch API key to a server controlled by the attacker. This disclosure of sensitive credentials could lead to unauthorized access to Elasticsearch resources. The vulnerability does not require privileges or user interaction beyond the crafted prompt and has a medium severity rating.
Mitigation Recommendations
The vendor recommends upgrading to strands-agents-tools version 0.7.0 or later to address this vulnerability. Additionally, operators should rotate their ELASTICSEARCH_API_KEY environment variable as a precautionary measure, even if there is no indication that the key has been exposed. Patch status is not explicitly confirmed in the advisory; therefore, check the vendor advisory at https://aws.amazon.com/security/security-bulletins/2026-056-aws/ for the latest remediation guidance.
CVE-2026-15746: CWE-918 Server-Side request forgery (SSRF) in Amazon strands-agents-tools
Description
Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearch_memory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery (SSRF) issue in the elasticsearch_memory tool. The tool exposed its connection parameters (es_url, cloud_id, api_key) as fields the large language model (LLM) could control through the tool schema. When a caller omitted the api_key parameter, the tool fell back to the operator's ELASTICSEARCH_API_KEY environment variable and sent it to whichever host the LLM specified. A crafted prompt could cause the tool to connect to a threat-actor-controlled server and disclose the operator's Elasticsearch API key in the Authorization header. We recommend you upgrade to strands-agents-tools version 0.7.0 or later. As a precautionary measure, we recommend all operators rotate their ELASTICSEARCH_API_KEY, even if there is no indication the credential was exposed.
CVSS v4.0
Score 6.9medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The strands-agents-tools package includes an elasticsearch_memory tool that allows an LLM to control certain connection parameters, including es_url, cloud_id, and api_key. If the api_key parameter is not provided by the caller, the tool falls back to using the operator's ELASTICSEARCH_API_KEY environment variable. This behavior enables a crafted prompt to cause the tool to send the operator's Elasticsearch API key in the Authorization header to an attacker-controlled host, resulting in a server-side request forgery (SSRF) vulnerability (CWE-918). The vulnerability has a CVSS 4.0 base score of 6.9, indicating medium severity. The vendor advisory recommends upgrading to version 0.7.0 or later and rotating the API key as a precaution. The vendor advisory URL is https://aws.amazon.com/security/security-bulletins/2026-056-aws/. No explicit remediation level or patch availability is stated in the advisory.
Potential Impact
An attacker who can influence the large language model input can exploit this vulnerability to cause the elasticsearch_memory tool to send the operator's Elasticsearch API key to a server controlled by the attacker. This disclosure of sensitive credentials could lead to unauthorized access to Elasticsearch resources. The vulnerability does not require privileges or user interaction beyond the crafted prompt and has a medium severity rating.
Mitigation Recommendations
The vendor recommends upgrading to strands-agents-tools version 0.7.0 or later to address this vulnerability. Additionally, operators should rotate their ELASTICSEARCH_API_KEY environment variable as a precautionary measure, even if there is no indication that the key has been exposed. Patch status is not explicitly confirmed in the advisory; therefore, check the vendor advisory at https://aws.amazon.com/security/security-bulletins/2026-056-aws/ for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- AMZN
- Date Reserved
- 2026-07-14T14:55:13.322Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://aws.amazon.com/security/security-bulletins/2026-056-aws/","vendor":"AWS"}]
Threat ID: 6a57d62468715ace4340ba11
Added to database: 07/15/2026, 18:49:08 UTC
Last enriched: 07/15/2026, 18:59:37 UTC
Last updated: 07/15/2026, 19:27:32 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.