Cybersecurity researchers have uncovered a significant vulnerability in Amazon Bedrock AgentCore's sandbox mode, where outbound DNS queries can be abused to bypass network isolation. This flaw allows attackers to establish command-and-control (C2) channels and exfiltrate sensitive data even when "no network access" is configured. By exploiting this behavior, threat actors can gain interactive reverse shells and deliver additional malicious payloads to the AI environment, particularly if the service is assigned overprivileged IAM roles.
In addition to the AWS findings, security flaws were disclosed in LangSmith and the SGLang framework. LangSmith was affected by a high-severity account takeover vulnerability (CVE-2026-25750) stemming from URL parameter injection. Meanwhile, SGLang faces multiple unpatched critical remote code execution vulnerabilities (CVE-2026-3059, CVE-2026-3060, and CVE-2026-3989) due to unsafe pickle deserialization within its ZeroMQ broker and disaggregation modules.
To mitigate these risks, Amazon recommends migrating workloads from sandbox mode to VPC mode and implementing DNS firewalls to monitor outbound traffic. For SGLang users, experts advise strict network segmentation and auditing IAM roles to enforce the principle of least privilege, reducing the potential impact of an exploit in these increasingly critical AI infrastructure components.
Top comments (0)