🟠 High | Source: AWS Security Bulletins
A command injection vulnerability (CVE-2026-13760) in AWS CDK’s NodejsFunction Docker bundling pipeline allows an attacker who can control dependency version strings in a project’s package.json to execute arbitrary commands on the machine running the CDK toolchain. The flaw exists in versions of aws-cdk-lib prior to 2.260.0 and is exploited via shell metacharacters in the OsCommand helper during Docker-based bundling. While exploitation requires influence over the package.json contents, the impact on developer workstations and CI/CD pipelines could be severe.
Security Architect’s Take: Upgrade aws-cdk-lib to 2.260.0 or later immediately, particularly in any CI/CD pipelines that use NodejsFunction with Docker-based bundling and nodeModules specified. Additionally, review your supply chain controls to ensure third-party or untrusted contributors cannot tamper with package.json dependency version strings in CDK projects.
Original advisory: CVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib