Attackers can exploit this behavior to establish bidirectional command-and-control channels and exfiltrate sensitive information. This becomes particularly dangerous if the AI's IAM role possesses overprivileged permissions to access AWS resources like S3 buckets. In such scenarios, an interactive reverse shell can be obtained, and commands executed stealthily via DNS queries. The flaw, which lacks a CVE identifier, carries a CVSS score of 7.5 out of 10.0.
While Amazon acknowledged the report, it determined the behavior to be "intended functionality rather than a defect." AWS now recommends customers use VPC mode instead of sandbox mode for complete network isolation. They also advise implementing a DNS firewall to filter outbound DNS traffic. Jason Soroko, a senior fellow at Sectigo, emphasized that "Operating within a VPC provides the necessary infrastructure for robust network isolation, allowing teams to implement strict security groups, network ACLs, and Route53 Resolver DNS Firewalls."
Beyond the Bedrock revelations, two other prominent AI tools, LangSmith and SGLang, are grappling with their own severe vulnerabilities. Miggo Security disclosed a high-severity security flaw in LangSmith (CVE-2026-25750), affecting both self-hosted and cloud deployments. This vulnerability, rated 8.5 on the CVSS scale, stems from a lack of validation on the `baseUrl` parameter, allowing for URL parameter injection.
An attacker could exploit this by tricking a user into clicking a specially crafted link. Successful exploitation leads to token theft and account takeover, granting unauthorized access to AI trace history, internal SQL queries, CRM customer records, or proprietary source code. The issue was addressed in LangSmith version 0.12.71, released in December 2025.
Meanwhile, security vulnerabilities have also been flagged in SGLang, a popular open-source framework for serving large language models. Discovered by Orca Security researcher Igor Stepansky, these flaws remain unpatched. They involve unsafe pickle deserialization, which can lead to remote code execution (RCE). The most critical vulnerabilities (CVE-2026-3059 and CVE-2026-3060) carry a CVSS score of 9.8, allowing unauthenticated RCE through the ZeroMQ (ZMQ) broker if multimodal generation or disaggregation features are exposed to the network.
A third flaw (CVE-2026-3989), rated 7.8, involves insecure deserialization in a crash dump replay utility. The CERT Coordination Center (CERT/CC) advises SGLang users to restrict access to service interfaces and implement network segmentation and access controls. This prevents unauthorized interaction with ZeroMQ endpoints and protects against potential compromises.
Developers & Architects
For Bedrock AgentCore Code Interpreter, immediately migrate critical workloads from Sandbox mode to VPC mode. Implement Route53 Resolver DNS Firewalls to scrutinize outbound DNS traffic.
Security Teams
Rigorously audit IAM roles attached to AI interpreters, strictly enforcing the principle of least privilege to minimize the potential blast radius of any compromise. Ensure proactive monitoring for unexpected outbound connections from AI processes.
LangSmith Users
Verify your LangSmith deployment is updated to version 0.12.71 or newer to patch CVE-2026-25750. Educate users about the risks of clicking suspicious links that may attempt token theft or account takeover.
SGLang Users
Restrict network exposure for multimodal generation and encoder parallel disaggregation features. Implement robust network segmentation and access controls around ZeroMQ endpoints to prevent unauthenticated remote code execution.
Critical vulnerabilities have been discovered in Amazon Bedrock, LangSmith, and SGLang, potentially leading to data exfiltration and remote code execution. Specifically, Amazon Bedrock's Code Interpreter sandbox allows data exfiltration via DNS queries, LangSmith suffered a high-severity URL injection flaw enabling account takeover, and SGLang contains unpatched remote code execution vulnerabilities through unsafe pickle deserialization.
Attackers can exploit a flaw in Amazon Bedrock's Code Interpreter sandbox that permits outbound DNS queries, even when configured for "no network access." This allows them to bypass network isolation and establish command-and-control channels to exfiltrate sensitive information by encoding it within DNS requests. If the AI's IAM role has excessive permissions, attackers could gain an interactive reverse shell and execute commands stealthily.
Amazon has acknowledged the DNS exfiltration behavior in Bedrock but considers it "intended functionality" rather than a defect. They recommend that customers use VPC mode instead of sandbox mode for complete network isolation. AWS also advises implementing a DNS firewall to filter outbound DNS traffic as an additional security measure.
LangSmith has a high-severity URL injection vulnerability (CVE-2026-25750) that affects both self-hosted and cloud deployments. This flaw, rated 8.5 out of 10 in severity, can lead to account takeover, potentially allowing attackers to compromise user accounts and access sensitive data within the LangSmith platform.
Organizations should reassess their configurations of AI platforms like Amazon Bedrock, LangSmith, and SGLang and implement stronger protective measures. For Bedrock, using VPC mode and DNS firewalls is crucial. Input validation and network isolation should be prioritized across all AI agent deployments to prevent data exfiltration and remote code execution.
More insights on trending topics and technology
