CVE-2026-9291

HIGH NVD

CVSS Score 7.1

Severity HIGH

Published May 22, 2026

Vendor unknown

Description

Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to amazon-braket-sdk version 1.117.0 or later.

References

https://aws.amazon.com/security/security-bulletins/2026-036-aws/
https://github.com/amazon-braket/amazon-braket-sdk-python/releases/tag/v1.117.0
https://github.com/amazon-braket/amazon-braket-sdk-python/security/advisories/GHSA-g697-2xrc-gc46