CVE-2026-7461

HIGH

OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials

Title source: cna

Description

Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. To remediate this issue, users should upgrade to version 1.103.0.

References (3)

[Patch] https://github.com/aws/amazon-ecs-agent/releases/tag/v1.103.0

[Vendor Advisory] https://aws.amazon.com/security/security-bulletins/2026-024-aws/

[Third Party Advisory] https://github.com/aws/amazon-ecs-agent/security/advisories/GHSA-fc67-c4hg-q653

Scores

CVSS v3 7.2

EPSS 0.0003

EPSS Percentile 7.8%

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

AWS/Amazon ECS Agent 1.47.0 - 1.102.0

Published Apr 30, 2026

Tracked Since May 01, 2026