Vulnerability Report

CVE-2026-11417

RCE

Title: OS Command Injection in NodejsFunction Bundling Pipeline

RCE

Proof Of Concept

PoC Available for CVE-2026-11417

CWE Category CWE-78

Published Date Jun 10, 2026

Modified Date Jun 10, 2026

Exploit Status Available

Score 7.0 CVSS v4.0

Exploit Probability (EPSS)

0.66%

Vulnerability Summary

CVE-2026-11417: OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

Impacted Vendors

Analysis in Progress...

Reference Links

https://aws.amazon.com/security/security-bulletins/2026-041-aws/ https://github.com/aws/aws-cdk/releases/tag/v2.245.0 https://github.com/aws/aws-cdk/security/advisories/GHSA-999r-qq7v-r334

CVSS v4.0

Source Entity ff89ba41-3aa1-4d27-914a-91399e9639e5

Severity HIGH

7.0

Attack Vector

LOCAL

Complexity

LOW

Privileges

N/A

Interaction

ACTIVE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

N/A

RAW VECTOR

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1

Source Entity ff89ba41-3aa1-4d27-914a-91399e9639e5

Severity HIGH

7.3

Attack Vector

LOCAL

Complexity

LOW

Privileges

N/A

Interaction

REQUIRED

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-11417 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/HeshamASH/CVE-2026-11417-AWS-CDK-RCE

View Code

June 10, 2026 MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector LOCAL

Complexity LOW

Privileges N/A

Interaction ACTIVE

CVSS Vector String


                                    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Stack

No specific products linked.