Issue #269
Monday · July 13, 2026
🥖 Palate Cleanser
I wouldn't typically share this but because it was an "isolated matter" and "there is no impact to Accenture operations", I thought it was safe to do so. Apparently Accenture had 35 GB of data walked, (allegedly) including Azure PATs (personal access tokens) and Azure Storage access keys. Since this is an AWS newsletter I can only assume those credentials are unimportant to operations. 🙃
AWS added OAuth support to its MCP Server this week to meet agents' need to act on a user's behalf without being handed long-lived AWS credentials, so now they trade SigV4 creds for a short-lived, scoped OAuth token. OAuth drags in its own vocabulary of authorization codes, refresh tokens, scopes and service principals, and getting it wrong hands someone a token that acts as one of your identities. One of this week's Chef's Selection picks walks through how the four new signin: actions quietly reshape what your existing IAM policies already permit, so this is the week to learn the concepts.
A couple of weeks back we introduced ASD's The Top 10 AWS Security Research of 2026 and asked for nominations. We already have 12 nominations but we need more. Keep them coming.
This issue is also available to share online. Got feedback? Tell us here.
📋 Chef's selections
The Two Mitigations for the Service Account Confused Deputy in the Cloud
by Kat Traxler
A confused deputy is just some service with more access than you, tricked into doing the thing you couldn't do yourself. Kat walks through the only two places you get to stop it: at attach time, by controlling who can bind an identity to a workload (iam:PassRole in AWS), or at call time, by making the provider verify the request itself (Forward Access Sessions, aws:SourceAccount). The part people miss is that iam:PassRole is a one-shot check. It fires when the role gets attached and never again, so from then on the workload just pulls tokens from the metadata endpoint and nobody re-asks whether that was ever OK.
AWS Just Added OAuth to the MCP Server. It Silently Changed the Meaning of Your Existing IAM
by Bala Paranj
When AWS gave the MCP Server OAuth support it also shipped four signin: actions for issuing and revoking tokens, and this post makes the uncomfortable point that they landed inside a namespace your policies already cover. Any statement granting signin:* or a bare * now silently authorizes minting an OAuth token via signin:CreateOAuth2Token against the aws-mcp.amazonaws.com service principal, no policy edit required. It ships with a detection tool (Stave) and CloudTrail detection guidance to find who can already do this in your account, which is more homework than most "the sky is falling" posts bother with.
Agent Solves All 122 of Pathfinding.cloud Labs
Eduard (organizer of the Top 10 AWS Security Research) built an autonomous offensive agent, handed it the near-empty starting hand of sts:GetCallerIdentity and iam:GetUser, then turned it loose on all 122 of Datadog's Pathfinding Labs, a public set of deliberately broken AWS environments. It captured every flag, averaging nine turns a lab, and it wasn't a frontier model doing the work: a ~35B open-weight model grounded in the team's offensive knowledge graph was enough. The labs that took longest were the ones without public exploitation playbooks (SageMaker, Cognito Identity, App Runner, Batch), which doubles as a fair map of where the non-obvious privesc paths still hide.
💸 Sponsor shoutout
Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems. Learn more about Pleri and see her in action.
🥗 AWS security blogs
- 📢 Amazon Location Service enhances Places APIs with new address and search options
- 📢 AWS Organizations now applies account departure security controls by default for new organizations created via AWS Organizations console
- 📢 AWS Security Hub now offers Network Scanning to identify publicly reachable resources
- 📢 AWS Security Hub extends unified security management to Microsoft Azure
- 📢 AWS Security Hub adds impact analysis for exposure findings
- 📢 Amazon Cognito now supports self-service provisioned API rate limits
- 📢 AWS Certificate Manager now supports the ACME protocol for public certificates
- 📢 AWS CodePipeline now available in Asia Pacific (New Zealand) region
- Accelerate IRAP readiness with AWS and Wiz by Bryan Rosensteel
- AWS designated as a critical third party to the UK financial sector by Michael Jefferson
- Introducing OAuth Support for AWS MCP Server by Vaibhav Chowla
- Designing for the inevitable: System prompt leakage and mitigations in generative AI applications by Manideep Konakandla
- The CISO’s guide to post-quantum mandates and migrations by Rushir Patel
- Enforce zero data retention on Amazon Bedrock with Bedrock Projects and service control policies by Rob Higareda
- Enforce least-privilege authorization in multi-agent AI chains using Cedar by Dhananjay Karanjkar
🍛 Reddit threads on r/aws
🤖 Dessert
Every machine-tracked change this week. Nobody else assembles this.
🧁 IAM permission changes
No changes this week.
🍪 API changes
- Amazon CloudWatch
- Amazon Elastic Compute Cloud
- Inspector2
- AWS Lambda
- AWS License Manager
- Amazon QuickSight
- Amazon SageMaker Service
- Amazon Connect Service
- Amazon Elastic Compute Cloud
- Amazon GuardDuty
- Amazon Interactive Video Service
- Synthetics
- AWS Sign
- Amazon Bedrock AgentCore Control
- Amazon Elastic Compute Cloud
- Amazon EC2 Container Service
- Amazon Location Service Places V2
- AWS IoT Wireless
- AWS Resilience Hub V2
- AWS Config
- Amazon Connect Service
- Amazon Elastic Compute Cloud
- Inspector2
- AWS Lambda
- AWS Marketplace Catalog Service
- Partner Central Revenue Measurement API
- Amazon Route 53 Global Resolver
- AWS SecurityHub
- Amazon Simple Systems Manager (SSM)
- AWS Billing
- Amazon CloudWatch Logs
- Amazon OpenSearch Service
🍹 IAM managed policy changes
- AWSLicenseManagerUserSubscriptionsServiceRolePolicy
- AmazonEKSServiceRolePolicy
- SecurityAudit
- ReadOnlyAccess
- WellArchitectedConsoleReadOnlyAccess
- WellArchitectedConsoleFullAccess
- SageMakerStudioProjectRoleMachineLearningPolicy
- AWSServiceRoleForImageBuilder
- NetworkAdministrator
- AWSMCPSignInOAuthAccessPolicy
- AmazonInspector2FullAccess_v2
- AWSAccountSettingsManagementRole
- EC2ImageBuilderExecutionPolicy
- AmazonInspector2FullAccess_v2
- AmazonInspector2FullAccess_v2
- AmazonInspector2ReadOnlyAccess
- AWSTransformRevenueAttributionPolicy
- DBModVirtualSource
- AmazonBraketJobsExecutionPolicy
- AmazonBraketFullAccess
- AmazonBraketServiceRolePolicy
- AWSResilienceHubServiceRolePolicy
☕ CloudFormation resource changes
🎮 Amazon Linux vulnerabilities
- CVE-2026-55564: FreeRDP: OOB read in glyph cache (malicious server)
- CVE-2026-57157: FreeRDP: OOB read in camera enumerator (rdpecam)
- CVE-2026-55192: FreeRDP: OOB read in H.264 YUV-to-RGB conversion
- CVE-2026-57156: FreeRDP: integer overflow in Orders Delta Points parsing
- CVE-2026-55193: FreeRDP: heap overflow in TS Gateway RPC fragment recv
- CVE-2026-3886: QEMU: virtio-gpu 2D image allocation overflow
- CVE-2026-55194: FreeRDP: heap overflow in TS Gateway RPC reassembly
- CVE-2026-15028: libarchive: heap overflow via crafted tar archive
- CVE-2026-55648: FreeRDP: integer overflow bypasses bounds check (icon copy)
- CVE-2026-14741: perl HTTP-Date: ambiguous date-parse regex flaw
- CVE-2026-56373: ImageMagick: use-after-free in PDB decoder
- CVE-2026-57158: FreeRDP: heap OOB read in planar RLE decode
- CVE-2026-55191: FreeRDP: heap overflow in AVC444 YUV buffer alloc
- CVE-2026-55827: FreeRDP: heap OOB write in RemoteFX Cache Bitmap V3
- CVE-2026-56366: ImageMagick: memory leak in META reader (APP1JPEG)
- CVE-2026-58459: gpsd (pcp): command injection in gpsprof
- CVE-2026-59857: Vim: OOB in spell_soundfold_sal()
- CVE-2026-15308: Python: html.parser CPU DoS via unterminated markup
- CVE-2026-56289: GNU patch: DoS via malformed unified-diff offsets
- CVE-2026-59856: Vim: OS command exec via PHP omni-completion
- CVE-2026-38076: jbig2dec: integer-overflow DoS
- CVE-2026-59692: GStreamer: stack overflow in DTLS cert-name print
- CVE-2026-59691: GStreamer: heap overflow in rfbsrc (VNC 16bpp)
- CVE-2026-56288: GNU patch: NULL deref on crafted diff
- CVE-2026-59858: Vim: OS command exec via C omni-completion
- CVE-2026-59875: node-tar: uncaught exception via NUL in PAX paths
- CVE-2026-60002: OpenSSH: client UAF on host-key change during rekey
- CVE-2026-58382: GIMP: heap OOB write in JIF parser
- CVE-2026-59998: OpenSSH: GSSAPIStrictAcceptorCheck ignored under AD
- CVE-2026-60000: OpenSSH: MaxAuthTries mishandled with GSSAPI (DoS)
- CVE-2026-42505: Go: Encrypted Client Hello PSK identity disclosure
- CVE-2026-15167: Wireshark: DBS Etherwatch parser crash (DoS)
- CVE-2026-56362: ImageMagick: heap OOB read in GetPixelIndex
- CVE-2026-15171: Wireshark: SSH dissector crash (DoS)
- CVE-2026-59922: Mistune: DoS via marker-pair runs
- CVE-2026-60001: OpenSSH: minimum auth delay not always honored
- CVE-2026-15164: Wireshark: ciscodump crash (DoS)
- CVE-2026-15041: 389-DS: non-constant-time password hash compare
- CVE-2026-15169: Wireshark: UMTS FP dissector crash (DoS)
- CVE-2026-59946: Composer: bin entry path traversal via ..
- CVE-2026-59939: httplib2 (fence-agents): unbounded decompression DoS
- CVE-2026-39822: Go: os.Root symlink escape on trailing-slash path
- CVE-2026-56003: libXfont: heap overflow in computeProps
- CVE-2026-59924: Mistune: Include.parse() path traversal
- CVE-2026-15173: Wireshark: pcapng parser crash (DoS)
- CVE-2026-15168: Wireshark: BLF parser info disclosure
- CVE-2026-15165: Wireshark: TLS ECH decryptor crash (DoS)
- CVE-2026-59923: Mistune: percent-encoded javascript: URI XSS bypass
- CVE-2026-59929: Mistune: safe_url scheme-filter XSS bypass
- CVE-2026-59997: OpenSSH: internal-sftp only honors first 9 args
- CVE-2026-59874: node-tar: DoS via negative-size tar header
- CVE-2026-59927: Mistune: Include directive symlink traversal
- CVE-2026-59926: Mistune: admonition :class: attribute-injection XSS
- CVE-2026-59947: Composer: credential leak in -vvv debug output
- CVE-2026-56000: Xorg: GLX contextTags use-after-free
- CVE-2026-15170: Wireshark: Z39.50 dissector crash (DoS)
- CVE-2026-15163: Wireshark: multiple dissector infinite loops (DoS)
- CVE-2026-59871: node-tar: uncaught TypeError via numeric PAX paths
- CVE-2026-59928: Mistune: DoS via many reference-link definitions
- CVE-2026-59890: setuptools: FileList MANIFEST.in path traversal
- CVE-2026-59925: Mistune: DoS via long asterisk-marker runs
- CVE-2026-15166: Wireshark: IEEE 802.11 dissector crash (DoS)
- CVE-2026-15172: Wireshark: FMP/NOTIFY dissector crash (DoS)
- CVE-2026-59869: js-yaml: quadratic-CPU DoS via merge keys
- CVE-2026-14362: HashiCorp memberlist: push/pull state DoS
- CVE-2026-59873: node-tar: gzip-bomb resource exhaustion
- CVE-2026-33630: c-ares: use-after-free/double-free in query completion
- CVE-2026-59930: Mistune: predictable toc heading-ID collisions
- CVE-2026-58386: GIMP: OOB write in TIM loader
- CVE-2026-58383: GIMP: heap OOB write in JIF parser (ReadJeffsImage)
- CVE-2026-59999: OpenSSH: DisableForwarding didn't override PermitTunnel
- CVE-2026-59996: OpenSSH: scp may write to parent dir (remote-to-remote)
- CVE-2026-58388: GIMP: stack OOB write in SFW94A loader
- CVE-2026-59995: OpenSSH: sftp download path not properly constrained
- CVE-2026-58387: GIMP: OOB write in SFW94A loader (photo_date)
- CVE-2026-56297: FreeRDP: use-after-free in dvcman channel close
- CVE-2026-55999: Xorg: glamor font-atlas heap overflow
- CVE-2026-15174: Wireshark: Catapult DCT2000 dissector crash (DoS)
- CVE-2026-56374: ImageMagick: heap overflow in FTXT encoder
- CVE-2026-59948: Composer: code exec via crafted untrusted package
- CVE-2026-56002: libXfont: heap overflow in PCF font parsing
- CVE-2026-56001: libXfont: integer-overflow heap overflow (BitmapScale)
- CVE-2026-11610: 389-DS: heap overflow in SASL I/O layer
- CVE-2026-58470: GNU Wget: integer overflow in parse_content_range()
- CVE-2026-14380: perl DBI: code injection via caller-influenced Profile
- CVE-2026-14739: perl DBI: heap overflow parsing many placeholders
- CVE-2011-10043: perl Module::Load: loads modules outside @INC
- CVE-2026-14935: GStreamer: inverted SDP crypto check in webrtcbin
- CVE-2026-58469: GNU Wget: heap under-read in clean_metalink_string()
- CVE-2026-7017: perl HTTP::Tiny: forwards creds on cross-origin redirect
- CVE-2026-58384: GIMP: integer overflow in PSD RLE parser
- CVE-2026-14476: SSSD: AD GPO path traversal (.. in SMB path)
- CVE-2026-58472: GNU Wget: heap overflow in html_quote_string()
- CVE-2026-14474: SSSD: LDAP sudo provider searches entire directory
- CVE-2026-58385: GIMP: heap OOB write in PVR decoder
- CVE-2026-58471: GNU Wget: heap overflow in convert_fname()
- CVE-2026-14740: perl DBI: one-byte OOB read in preparse
- CVE-2026-14940: 389-DS: heap overflow normalizing legacy DN
- CVE-2026-50811: FreeType: OOB read in TrueType glyph parsing
- CVE-2026-14969: 389-DS: hardcoded static IV for attribute encryption
- CVE-2026-54291: pgjdbc: channelBinding=require silently downgraded
- CVE-2026-12184: PHP: remote DoS on failed TLS setup
- CVE-2026-59089: GIMP: TIM loader miscalculates buffer size
- CVE-2026-55379: Pillow: OOB read in BDF font parser
- CVE-2026-14803: perl Mojo::JSON: memory exhaustion via deep recursion
- CVE-2026-55798: Pillow: shell command injection in WindowsViewer
- CVE-2026-58380: GIMP: OOB write in PNM parser
- CVE-2026-54060: Pillow: OOB in FontFile.compile() bitmap assembly
- CVE-2026-55380: Pillow: OOB read in GD image header parsing
- CVE-2026-54059: Pillow: OOB in PCF font glyph parsing
- CVE-2026-14781: Keycloak: OIDC broker mishandles email_verified claim
- CVE-2026-14612: FreeIPA: off-by-one in ipa-otpd OAuth2 handler
📺 AWS security bulletins
🚬 Security documentation changes
- WorkSpaces: PCA cert issuance limits can block CBA auth
- SSM Agent: new PGP signing key, prior key expiry warned
- SSM: automation alarm monitoring now uses execution identity
- SSM: drops an IAM permission requirement for alarm integration
- SSM: drops iam:createServiceLinkedRole need for automation cancel
- SSM: drops iam:createServiceLinkedRole need for automation cancel
- Storage Gateway: 3.2.7/2.14.6 security fixes + FIPS PrivateLink
- Storage Gateway: 3.2.7/2.14.6 security fixes + FIPS PrivateLink
- Security Hub: Lambda impact traits list 15 privesc vectors
- Security Hub: EC2 impact traits list 15 privesc vectors
- SageMaker: IAM policy for secure Model Registry promotion
- OpenSearch Serverless: sample code adds creds provider for signing
- OpenSearch: warns open VPC domain policies accept unsigned requests
- Lightsail: docs SSL/TLS certificate auto-renewal failure fix
- Greengrass: v2.0.1 enforces TLS 1.2+, drops SSLv2/3 & TLS 1.0/1.1
- EMR: documents private keys must be passphrase-free
- DRS: agent 6.42.23 fixes CVE-2025-66566, updates Python
- Control Tower: drops sso:GetPeregrineStatus from Account Factory
- Control Tower: new root-user access-key restriction controls/SCPs
- Comprehend: adds FIPS endpoint documentation
- Cognito: new issuer format can break ALB/API Gateway auth
- CodeArtifact: Yarn unscoped packages now need auth (401 fix)
- CLI/ECS: warns of TaskArn validation gap (privesc risk)
- IAM: GitHub OIDC now only requires the sub claim
- SageMaker: guidance to lock down serialized data in S3
- MWAA: IAM example restricts Secrets Manager to GetSecretValue
- Image Builder: --blocked-action-modules denylists risky modules
- Image Builder: macOS cleanup adds SSH-key/log removal steps
- Image Builder: fixes macOS SSH-key cleanup, adds exec IAM policy
- EKS: new platform versions across K8s 1.30-1.36 with security fixes