Issue #267
Monday · June 29, 2026
🥖 Palate Cleanser
A while back Eduard Agavriloae got in touch about an idea he's been kicking around for a long time. He loves how PortSwigger do their yearly top 10 web hacking techniques and wanted cloud security to have something similar. Eduard is very handsome, so I had little choice but to agree.
This week we're launching the AWS Security Digest Top 10, an annual community-driven list of the year's most important AWS security research. Nominations are open through September 30, so go put forward the research that actually taught you something this year, your own work included.
Unrelated but fun, AWS shipped Lambda MicroVMs, a new serverless primitive that gives you VM-level isolation with near-instant launch and can suspend and resume for up to eight hours, aimed at people running untrusted or AI-generated code like coding assistants and vulnerability scanners. Naturally, someone has already turned it into a party trick: whim spins up a throwaway root shell inside one and lets it vanish a couple of seconds later. Aidan Steele's day-one notes are the best map of the security-relevant edges, from the first-class shell API down to web identity tokens that carry no MicroVM identity yet.
This issue is also available to share online. Got feedback? Tell us here.
📋 Chef's selections
MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension
Open the wrong repo in VS Code and Amazon Q would read a .amazonq/mcp.json file from its root and auto-start every MCP server listed inside with no approval prompt. Those processes inherited your shell environment, so a booby-trapped repo could quietly run aws sts get-caller-identity and curl your access key and session token to an attacker, just from opening the folder. It got patched... the patch being the radical step of asking first.
Behind the console: An AiTM phishing kit harvesting AWS console credentials and beyond
Three look-alike AWS sign-in domains registered between June 16 and 18 ran an adversary-in-the-middle proxy in front of the real console, and the kit's code looks built to forward a victim's password and live MFA code to the operator's /api/auth endpoint for real-time replay into the account. It appears to be the same kit NVISO documented as PoisonSeeds in 2025, which hit the likes of SendGrid and Okta, now redressed for AWS. The best part for defenders is the DNS IOCs plus a CloudTrail ConsoleLogin and impossible-travel hunt you can run today.
💸 Sponsor shoutout
Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems. Learn more about Pleri and see her in action.
🥗 AWS security blogs
- 📢 AWS Network Firewall now supports managed threat intelligence rules from VisionHeight
- 📢 Amazon Route 53 Global Resolver now supports sharing DNS Views between AWS Accounts
- 📢 Amazon CloudWatch Logs supports managed syslog ingestion
- 📢 Amazon Cognito now supports customer managed key for encryption at rest
- 📢 Amazon CloudWatch launches OTel Container Insights for Amazon EKS
- 📢 AWS Network Firewall updates default drop action for improved connection reliability
- 📢 AWS IAM Identity Center now supports separate quotas for AWS accounts and applications
- 📢 Introducing self-service lifecycle management capabilities for AWS Outposts
- Securing AI-driven APIs on AWS with Wallarm by Aliaksei Ivanou
- Getting your SMS short code production-ready with AWS End User Messaging by Harshvardhan Chunawala
- MARS-E to ARC-AMPE: Guide for state Medicaid agencies on AWS by Vignesh Srinivasan
- Restrict AWS Management Console access to expected networks with sign-in resource-based policies and RCPs by Swara Gandhi
- Prevent data exfiltration: AWS egress controls for cloud workloads by Meriem SMACHE
🍛 Reddit threads on r/aws
🤖 Dessert
Every machine-tracked change this week. Nobody else assembles this.
🧁 IAM permission changes
🍪 API changes
🍹 IAM managed policy changes
- AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary
- AWSSecurityHubV2ServiceRolePolicy
- AWSSecurityHubServiceRolePolicy
- AIDevOpsOperatorAppAccessPolicy
- AIDevOpsAgentFullAccess
- AIDevOpsAgentAccessPolicy
- AmazonSSMServiceRolePolicy
- AmazonInspector2ThirdPartyServiceRolePolicy
- AWSObservabilityAdminTelemetryEnablementServiceRolePolicy
- AIDevOpsAgentAccessPolicy
- AIDevOpsAgentActionsPolicy
- AWSSupportServiceRolePolicy
- AmazonEMRServicePolicyForSessions
- AWSConfigThirdPartyServiceRolePolicy
- AWSLambdaServiceRolePolicy
- AWSLambdaNetworkConnectorOperatorPolicy
- AmazonElasticsearchServiceRolePolicy
- AWSServiceRoleForUserSubscriptions
☕ CloudFormation resource changes
🎮 Amazon Linux vulnerabilities
- CVE-2026-57918: libnfs integer underflow OOB read
- CVE-2026-9079: curl proxy credential leak
- CVE-2026-8932: curl connection reuse with mismatched mTLS
- CVE-2026-8926: curl wrong .netrc password used
- CVE-2026-9705: Keycloak disabled client re-enable bypass
- CVE-2026-57451: vim OOB read via crafted undo file
- CVE-2026-9799: Keycloak UMA per-resource access bypass
- CVE-2026-55693: vim stack OOB write in spellfile
- CVE-2026-8924: curl super cookie injection
- CVE-2026-9547: curl SSH host key mismatch accepted (MITM)
- CVE-2026-11352: curl QUIC DoS via empty datagrams
- CVE-2026-8286: curl STARTTLS connection reuse with mismatched TLS
- CVE-2026-9546: curl Referer header leak
- CVE-2026-55895: vim netrw Vimscript injection (RCE)
- CVE-2026-12992: wsdl4j/Apicurio WSDL import SSRF
- CVE-2026-11586: curl WebSocket PING memory exhaustion DoS
- CVE-2026-8925: curl GSASL double free
- CVE-2026-12844: perl-List-SomeUtils heap buffer overflow
- CVE-2026-11564: curl stale CA trust on reused handle
- CVE-2026-9099: Keycloak group reparent privesc to realm takeover
- CVE-2026-54679: jq integer overflow buffer overrun (32-bit)
- CVE-2026-9800: Keycloak Policy Enforcer auth bypass (8.1)
- CVE-2026-8927: curl proxy auth header leak across proxies
- CVE-2026-57452: vim OOB read decrypting short VimCrypt file
- CVE-2026-46601: rclone webp decoder panic DoS
- CVE-2026-10536: curl HTTP/2 stream-dependency use-after-free
- CVE-2026-57454: vim OOB read via crafted undo/swap file
- CVE-2026-11856: curl Digest auth header leak across origins
- CVE-2026-55556: rsyslog imhttp heap corruption via auth header
- CVE-2026-12064: curl SSH security options bypassed via schemeless URL
- CVE-2026-57453: vim zip plugin PowerShell command injection
- CVE-2026-9080: curl use-after-free in curl_easy_pause()
- CVE-2026-57456: vim Python omni-completion code execution
- CVE-2026-8458: curl wrong connection reuse for Negotiate auth
- CVE-2026-9545: curl HTTP/3 impostor server trusted (MITM)
- CVE-2026-55892: vim spell prefix trie OOB
- CVE-2026-56123: socat SOCKS5 heap buffer overflow (8.1)
- CVE-2026-57455: vim spell sound-fold buffer overflow
- CVE-2026-49851: python-mistune ReDoS in parse_link_text
- CVE-2026-13006: texlive/logback-core arbitrary code execution
- CVE-2026-56370: ImageMagick OOB access in ConnectedComponents
- CVE-2026-56368: ImageMagick memory leak DoS
- CVE-2026-49980: rclone rcd unauthenticated file access (9.8)
- CVE-2026-9539: qemu/libslirp OOB read leaks host memory
- CVE-2026-0864: python configparser config injection
- CVE-2026-57062: GnuPG gpgsm accepts short AES-GCM ICV
- CVE-2025-61028: virtuoso DoS via crafted SQL
- CVE-2026-55653: OpenSSH DH-GEX double free via malicious server
- CVE-2026-54518: jackson-databind unwrapped creator property bypass
- CVE-2026-54515: jackson-databind @JsonIgnoreProperties bypass
- CVE-2026-54516: jackson-databind property rename ignore bypass
- CVE-2026-55655: OpenSSH X11 forwarding hijack
- CVE-2026-50221: OpenStack Swift internal header injection
- CVE-2026-54512: jackson-databind polymorphic deserialization bypass (8.1)
- CVE-2025-61022: virtuoso DoS via crafted SQL
- CVE-2025-61020: virtuoso DoS via crafted SQL
- CVE-2026-11820: ansible nexmo module credential leak in URL
- CVE-2025-61023: virtuoso DoS via crafted SQL
- CVE-2025-61019: virtuoso DoS via crafted SQL
- CVE-2026-54517: jackson-databind @JsonView filter bypass
- CVE-2025-61018: virtuoso DoS via crafted SQL
- CVE-2026-57053: libidn OOB read of uninitialized memory
- CVE-2026-12892: gstreamer H.264 MVC/SVC heap OOB read
- CVE-2026-50193: jackson-databind DoS via deep nesting
- CVE-2026-12969: dnsmasq OOB read parsing NS records
- CVE-2026-54513: jackson-databind array type allowlist bypass (8.1)
- CVE-2026-54514: jackson-databind eager DNS resolution SSRF
- CVE-2026-56371: ImageMagick memory leak in txt coder DoS
- CVE-2026-11940: python tarfile extraction filter bypass
- CVE-2025-61024: virtuoso DoS via crafted SQL
- CVE-2026-55654: OpenSSH GSSAPI heap OOB read
- CVE-2026-56379: ImageMagick SVG command injection
- CVE-2026-56376: ImageMagick meta coder use-after-free
- CVE-2026-56968: GNU SASL NTLM memory disclosure
- CVE-2025-61027: virtuoso DoS via crafted SQL
- CVE-2026-12891: gstreamer H.266/VVC OOB read
📺 AWS security bulletins
🚬 Security documentation changes
- Aurora DSQL IAM condition keys docs rewritten
- AWS Backup restore override list-value format documented
- Config TLS policy rule adds custom allowed-policies check
- Config EC2 key pair rule scope clarified
- ELB removes RFC 9151 (CNSA 1.0) security policies
- EMR cross-account default database fix documented
- EMR cross-account default database fix documented
- Organizations PrivateLink expands to all commercial regions
- Polly warns of hallucination risk in generative voices
- Redshift adds permissions for Iceberg DELETE on Lake Formation
- SageMaker code example adds explicit UTF-8 decoding
- SageMaker ABAC example switches to ModelTrainer
- SageMaker training examples switch to ModelTrainer
- SageMaker adds cross-account model deploy examples
- SageMaker examples switch to ModelTrainer, trim KMS permissions
- Bedrock adds console data retention mode option
- AWS CLI version bumped, VPN features added
- Cognito adds 'sub' claim format validation note
- Cognito adds 'sub' claim format validation note
- Cognito clarifies UUID format and validation guidance
- Cognito adds 'sub' attribute format validation note
- Connect clarifies agent provisioning for IdP integration
- DCV renames USB allow list to compatibility filter
- DCV clarifies USB allow list is not a security control
- GovCloud adds FIPS crypto and region availability section
- Inspector clarifies SBOM contents are not sanitized
- Inspector clarifies SBOM contents are not sanitized
- Lambda adds error handling section recommending DLQs
- Lambda documents combining DLQs with EventBridge
- Systems Manager drops Ubuntu 16.04 from SSM Agent support
- Systems Manager automation adds FailOnUnexpectedStopped param
- Systems Manager adds Quick Setup patch policy managed policies
- VPN client adds enforced TLS and data channel crypto
- VPN client 5.4.0 release notes added
- VPN client 5.4.0 release notes added
- VPN client 5.4.0 release notes added
- Wickr adds non-SSO session timeout configuration
- Wickr June 2026 notes add session timeout and consent banner
- Wickr June 2026 notes add session timeout and consent banner
- WorkSpaces renames device allowlist to compatibility filter
