🟠 High  |  Source: AWS Security Bulletins


A server-side request forgery (SSRF) vulnerability in the Strands Agents Tools package allows a crafted prompt to trick the elasticsearch_memory tool into sending an operator’s Elasticsearch API key to an attacker-controlled server. The flaw exists because the tool exposes connection parameters — including the target host — to the large language model, and falls back to environment variable credentials when none are explicitly provided. Any deployment using strands-agents-tools below version 0.7.0 with the elasticsearch_memory tool is at risk of credential theft.

Security Architect’s Take: Upgrade strands-agents-tools to version 0.7.0 or later immediately, and audit any deployments where the ELASTICSEARCH_API_KEY environment variable is present alongside the elasticsearch_memory tool. As a broader control, rotate any Elasticsearch API keys that may have been exposed and review your AI agent tool schemas to ensure LLMs cannot influence outbound connection targets or credential selection.

Original advisory: CVE-2026-15746 - Credential disclosure in Strands Agents Tools elasticsearch_memory tool