{"id":"CVE-2026-13760","summary":"OS Command Injection in aws-cdk-lib Docker Bundling","details":"OS command injection in the NodejsFunction Docker bundling pipeline (OsCommand helper) in AWS aws-cdk-lib on all platforms might allow a actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified.\n\n\n\nTo remediate this issue, users should upgrade to v2.260.0.","aliases":["GHSA-vcrf-j523-4mrf"],"modified":"2026-07-08T08:11:12.505635113Z","published":"2026-07-01T19:05:18.671Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13760.json","cna_assigner":"AMZN","cwe_ids":["CWE-78"]},"references":[{"type":"ADVISORY","url":"https://aws.amazon.com/security/security-bulletins/2026-050-aws/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13760.json"},{"type":"ADVISORY","url":"https://github.com/aws/aws-cdk/security/advisories/GHSA-vcrf-j523-4mrf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-13760"},{"type":"FIX","url":"https://github.com/aws/aws-cdk/releases/tag/v2.260.0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/aws/aws-cdk","events":[{"introduced":"0"},{"fixed":"a987f75109aff2ecc1ec1ac063edeb96232858aa"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"2.260.0"}]}}],"versions":["v2.259.0","v2.258.1","v2.258.0","v2.257.0","v2.256.1","v2.256.0","v2.255.0","v2.254.0","v2.253.1","v2.253.0","v2.252.0","v2.251.0","v2.250.0","v2.249.0","v2.248.0","v2.247.0","v2.246.0","v2.245.0","v2.244.0","v2.243.0","v2.242.0","v2.241.0","v2.240.0","v2.239.0","v2.238.0","v2.237.1","v2.237.0","v2.236.0","v2.235.1","v2.235.0","v2.234.1","v2.234.0","v2.233.0","v2.232.2","v2.232.1","v2.232.0","v2.231.0","v2.230.0","v2.229.1","v2.229.0","v2.228.0","v2.227.0","v2.226.0","v2.225.0","v2.224.0","v2.223.0","v2.222.0","v2.221.1","v2.221.0","v2.220.0","v2.219.0","v2.214.0","v2.218.0","v2.217.0","v2.216.0","v2.215.0","v2.213.0","v2.212.0","v2.211.0","v2.210.0","v2.209.1","v2.209.0","v2.208.0","v2.207.0","v2.206.0","v2.205.0","v2.204.0","v2.203.1","v2.203.0","v2.202.0","v2.201.0","v2.200.2","v2.200.1","v2.200.0","v2.199.0","v2.198.0","v2.197.0","v2.196.1","v2.196.0","v2.195.0","v2.194.0","v2.193.0","v2.192.0","v2.191.0","v2.190.0","v2.189.1","v2.189.0","v2.188.0","v2.187.0","v2.186.0","v2.185.0","v2.184.1","v2.184.0","v2.183.0","v2.182.0","v2.181.1","v2.181.0","v2.180.0","v2.179.0","v2.178.2","v2.178.1","v2.178.0","v2.177.0","v2.176.0","v2.175.1","v2.175.0","v2.174.1","v2.174.0","v2.173.4","v2.173.3","v2.173.2","v2.173.1","v2.173.0","v2.172.0","v2.171.1","v2.171.0","v2.170.0","v2.169.0","v2.168.0","v2.167.2","v2.167.1","v2.167.0","v2.166.0","v2.165.0","v2.164.1","v2.164.0","v2.163.1","v2.163.0","v2.162.1","v2.162.0","v2.161.1","v2.161.0","v2.160.0","v2.159.1","v2.159.0","v2.158.0","v2.157.0","v2.156.0","v2.155.0","v2.154.1","v2.154.0","v2.153.0","v2.152.0","v2.151.1","v2.151.0","v2.150.0","v2.149.0","v2.148.1","v2.148.0","v2.147.3","v2.147.2","v2.147.1","v2.147.0","v2.146.0","v2.145.0","v2.144.0","v2.143.1","v2.143.0","v2.142.1","v2.142.0","v2.141.0","v2.140.0","v2.139.1","v2.139.0","v2.138.0","v2.137.0","v2.136.1","v2.136.0","v2.135.0","v2.134.0","v2.133.0","v2.132.1","v2.132.0","v2.131.0","v2.130.0","v2.129.0","v2.128.0","v2.127.0","v2.126.0","v2.125.0","v2.124.0","v2.123.0","v2.122.0","v2.121.1","v2.121.0","v2.120.0","v2.119.0","v2.118.0","v2.117.0","v2.116.1","v2.116.0","v2.115.0","v2.114.1","v2.114.0","v2.113.0","v2.112.0","v2.111.0","v2.110.1","v2.110.0","v2.109.0","v2.108.1","v2.108.0","v2.107.0","v2.106.1","v2.106.0","v2.105.0","v2.104.0","v2.103.1","v2.103.0","v2.102.1","v2.102.0","v2.101.1","v2.101.0","v2.100.0","v2.99.1","v2.99.0","v2.98.0","v2.97.1","v2.97.0","v2.96.2","v2.96.1","v2.96.0","v2.95.1","v2.95.0","v2.94.0","v2.93.0","v2.92.0","v2.91.0","v2.90.0","v2.89.0","v2.88.0","v2.87.0","v2.86.0","v2.85.0","v2.84.0","v2.83.1","v2.83.0","v2.82.0","v2.81.0","v2.80.0","v2.79.1","v2.79.0","v2.78.0","v2.77.0","v2.76.0","v2.75.1","v2.75.0","v2.74.0","v2.73.0","v2.72.1","v2.72.0","v2.70.0","v2.69.0","v2.68.0","v2.67.0","v2.66.1","v2.66.0","v2.65.0","v2.64.0","v2.63.2","v2.63.1","v2.63.0","v2.62.2","v2.62.1","v2.62.0","v2.61.1","v2.61.0","v2.60.0","v2.59.0","v2.58.1","v2.58.0","v2.57.0","v2.56.1","v2.56.0","v2.55.1","v2.55.0","v2.54.0","v2.53.0","v2.52.1","v2.52.0","v2.51.1","v2.51.0","v2.50.0","v2.49.1","v2.49.0","v2.48.0","v2.47.0","v2.46.0","v2.45.0","v2.44.0","v2.43.1","v2.43.0","v2.42.1","v2.42.0","v2.41.0","v2.40.0","v2.39.1","v2.39.0","v2.38.1","v2.38.0","v2.37.1","v2.37.0","v2.36.0","v2.35.0","v2.34.2","v2.34.1","v2.34.0","v2.33.0","v2.32.1","v2.32.0","v2.31.2","v2.31.1","v2.31.0","v2.30.0","v2.29.1","v2.29.0","v2.28.1","v2.28.0","v2.27.0","v2.26.0","v2.25.0","v2.24.1","v2.24.0","v2.23.0","v2.22.0","v2.21.1","v2.21.0","v2.20.0","v2.19.0","v2.18.0","v2.17.0","v2.16.0","v2.15.0","v2.14.0","v2.13.0","v2.12.0","v2.11.0","v2.10.0","v2.9.0","v2.8.0","v2.7.0","v2.6.0","v2.5.0","v2.4.0","v2.3.0","v2.2.0","v2.1.0","v2.0.0","v2.0.0-rc.33","v2.0.0-rc.32","v2.0.0-rc.31","v2.0.0-rc.30","v2.0.0-rc.29","v2.0.0-rc.28","v2.0.0-rc.27","v2.0.0-rc.26","v2.0.0-rc.25","v2.0.0-rc.24","v2.0.0-rc.23","v2.0.0-rc.22","v2.0.0-rc.21","v2.0.0-rc.20","v2.0.0-rc.19","v2.0.0-rc.18","v2.0.0-rc.17","v2.0.0-rc.16","v2.0.0-rc.15","v2.0.0-rc.14","v2.0.0-rc.13","v2.0.0-rc.12","v2.0.0-rc.11","v2.0.0-rc.10","v2.0.0-rc.9","v2.0.0-rc.8","v2.0.0-rc.7","v2.0.0-rc.6","v2.0.0-rc.5","v2.0.0-rc.4","v2.0.0-rc.3","v2.0.0-rc.1","v2.0.0-alpha.14","v2.0.0-alpha.13","v2.0.0-alpha.12","v2.0.0-alpha.11","v2.0.0-alpha.10","v1.19.0","v1.18.0","v1.17.1","v1.17.0","v1.16.1","v1.16.0","v1.15.0","v1.14.0","v1.13.1","v1.13.0","v1.12.0","v1.11.0","v1.10.0","v1.9.0","v1.8.0","v1.7.0","v1.6.1","v1.6.0","v1.5.0","v1.4.0","v1.3.0","v1.2.0","v1.1.0","v1.0.0","v0.39.0","v0.38.0","v0.37.0","v0.36.2","v0.36.1","v0.36.0","v0.35.0","v0.34.0","v0.33.0","v0.32.0","v0.31.0","v0.30.0","v0.29.0","v0.28.0","v0.27.0","v0.26.0","v0.25.3","v0.25.2","v0.25.0","v0.24.1","v0.24.0","v0.23.0","v0.22.0","v0.21.0","v0.20.0","v0.19.0","v0.18.1","v0.18.0","v0.17.0","v0.16.0","v0.15.2","v0.15.1","v0.15.0","v0.14.1","v0.14.0","v0.13.0","v0.12.0","v0.11.0","v0.10.0","v0.9.2","v0.9.1","v0.9.0","v0.8.2","v0.8.1","v0.8.0","v0.7.4-beta","v0.7.3-beta","v0.7.2-beta","v0.7.1-beta","v0.7.0-beta"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13760.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}