vulnerability context

CVE-2026-9291

CVSS 7.1 HIGHEPSS 30%CWE-502OTX 8 pulses

Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to amazon-braket-sdk version 1.117.0 or later.

Published 2026-05-22 · last modified 2026-06-17

details

CISA KEV status: Not in catalog
CVSS v3: 7.1 / HIGH
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS: 30% percentile (score 0.0038)
CWE: CWE-502
OTX pulses: 8 total, 0 recent

View on NVD → · cve.org

source mentions 2

[CVE-2026-9291] amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads()GitHub Advisories · 50m ago
CVE-2026-9291 - Insecure Deserialization in Amazon Braket SDK Job Results ProcessingAWS Security Bulletins · 2026-05-22

source consensus

GitHub Advisories1×
AWS Security Bulletins1×

Want the 3-bullet summary of CVE-2026-9291, plus webhook alerts when KEV is updated? Pro is $10/mo.

Open in reader See Pro →