A vulnerability in the AWS Bedrock AgentCore Python SDK (versions 1.1.3 to 1.6.1) allows crafted package name arguments to bypass input sanitisation in the install_packages() method. An attacker could redirect pip to a malicious PyPI server to serve tampered packages, or use the ‘-r’ flag to read arbitrary files within the sandbox. The issue stems from an incomplete blocklist used to construct shell commands, rather than a safe argument-passing approach.

Security Architect’s Take: Update the bedrock-agentcore SDK to version 1.6.1 or later immediately. Audit any pipelines or agent code that calls install_packages() with externally influenced input, and review sandbox egress controls to limit access to unauthorised PyPI endpoints as a defence-in-depth measure.

Original advisory: CVE-2026-12530 - Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()