🟠 High  |  Source: AWS Security Bulletins


A vulnerability in the Bedrock AgentCore Python SDK (versions 1.4.8 and 1.5.0) causes raw user prompts and full agent responses to be written unfiltered into OpenTelemetry span attributes on every invocation. These spans are stored in the customer’s CloudWatch Logs group, where any locally authenticated user with read access to CloudWatch Logs could retrieve potentially sensitive AI conversation data. The issue stems from a lack of filtering or masking in the SDK’s OpenTelemetry instrumentation layer.

Security Architect’s Take: Audit who holds CloudWatch Logs read permissions on the aws/spans log group immediately, and upgrade to a patched version of bedrock-agentcore beyond 1.5.0. If an immediate upgrade is not possible, consider restricting CloudWatch Logs read access to the aws/spans log group using resource-level IAM policies and enabling log group encryption with a customer-managed KMS key to limit exposure.

Original advisory: CVE-2026-15737 - Sensitive content disclosure via OpenTelemetry spans in AgentCore Python SDK