PatchSiren cyber security CVE debrief
CVE-2026-11417 AWS CVE debrief
CVE-2026-11417 is a HIGH-severity vulnerability in the NodejsFunction local bundling pipeline of aws-cdk-lib. An actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) might execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application.
- Vendor
- AWS
- Product
- AWS Cloud Development Kit library
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of aws-cdk-lib before version 2.245.0 (2.246.0 on Windows) should be aware of this vulnerability and take steps to remediate.
Technical summary
The vulnerability exists in the NodejsFunction local bundling pipeline in aws-cdk-lib. Specifically, an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) might be able to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information is available at [ref-4], [ref-5], and [ref-6].
Official resources
-
CVE-2026-11417 CVE record
CVE.org
-
CVE-2026-11417 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff89ba41-3aa1-4d27-914a-91399e9639e5
-
Source reference
ff89ba41-3aa1-4d27-914a-91399e9639e5
-
Source reference
ff89ba41-3aa1-4d27-914a-91399e9639e5
CVE-2026-11417 was published on [cvePublishedAt] and last modified on [cveModifiedAt].