Vulnerability DatabaseCVE-2026-7461
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-7461
Published:April 30, 2026
Updated:May 18, 2026
Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. To remediate this issue, users should upgrade to version 1.103.0.
Affected Packages
https://github.com/aws/amazon-ecs-agent.git (GITHUB):
Affected version(s) >=v1.47.0 <v1.103.0
Fix Suggestion:
Update to version v1.103.0
Related Resources (3)
https://github.com/aws/amazon-ecs-agent/security/advisories/GHSA-fc67-c4hg-q653
https://aws.amazon.com/security/security-bulletins/2026-024-aws/
https://github.com/aws/amazon-ecs-agent/releases/tag/v1.103.0
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-78
EPSS
Base Score:
0.04