CVE-2026-11417

HIGH

Aws Cloud Development Kit Library < 2.245.0 - Command Injection

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-11417. PoCs published by HeshamASH.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-11417, demonstrating OS command injection in AWS CDK's NodejsFunction bundling process. The exploit leverages unsanitized input in the `externalModules` property to execute arbitrary shell commands during `cdk synth`.

Description

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

Exploits (1)

github WORKING POC

by HeshamASH · typescriptpoc

https://github.com/HeshamASH/CVE-2026-11417-AWS-CDK-RCE

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2026-11417, demonstrating OS command injection in AWS CDK's NodejsFunction bundling process. The exploit leverages unsanitized input in the `externalModules` property to execute arbitrary shell commands during `cdk synth`.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: aws-cdk-lib versions prior to 2.245.0

No auth needed

Prerequisites: aws-cdk-lib installed · Node.js environment · cdk synth execution

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 13, 2026 Full analysis →

References (3)

Core 3

Core References

Patch patch

https://github.com/aws/aws-cdk/releases/tag/v2.245.0

Vendor Advisory vendor-advisory

https://aws.amazon.com/security/security-bulletins/2026-041-aws/

Third Party Advisory third-party-advisory

https://github.com/aws/aws-cdk/security/advisories/GHSA-999r-qq7v-r334

Scores

CVSS v3 7.3

EPSS 0.0003

EPSS Percentile 10.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

AWS/AWS Cloud Development Kit library < 2.245.0

Published Jun 10, 2026

Tracked Since Jun 11, 2026