CVE-2026-7461 is an OS command injection vulnerability (CWE-78) in the Amazon ECS Agent for Windows, specifically in the FSx Windows File Server volume mounting component. Improper neutralization of special elements in input allows a remote authenticated attacker with high privileges (permissions to register ECS task definitions or write credentials in Secrets Manager or SSM Parameter Store) to execute arbitrary OS commands with SYSTEM-level privileges. This vulnerability affects versions prior to 1.103.0. AWS has released version 1.103.0 of the Amazon ECS Agent to fix this issue. The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The affected product is a cloud service component, and AWS manages remediation for this service.

Successful exploitation allows an attacker with specific high-level permissions to execute arbitrary OS commands with SYSTEM privileges on the affected host, potentially compromising confidentiality, integrity, and availability of the system. This could lead to full control over the ECS Agent host environment. However, exploitation requires authenticated access with permissions to register ECS task definitions or write credentials used by FSx volume configuration, limiting the attack surface.

AWS has released version 1.103.0 of the Amazon ECS Agent which addresses this vulnerability. Since this is a cloud service component, AWS manages remediation for the cloud-hosted service. Users should ensure they are running version 1.103.0 or later of the Amazon ECS Agent. Review the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-024-aws/ for official guidance and updates. No additional mitigation steps are indicated by the vendor advisory.