CVE-2026-7461 - OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials

Amazon ECS · 2026-06-05

Actions

Rate this issue

Technical Details

Affected Versions	1.47.0 through 1.102.2
Regions	all
CVE IDs	CVE-2026-7461
Migration Required	Yes
Cost Impact	Neutral
IaC Impact	High

What This Means

For DevOps Teams

Update ECS Windows worker instances to the latest Amazon ECS-optimized Windows AMI with ECS agent version 1.103.0 to address the command injection vulnerability (CVE-2026-7461) and prevent potential code execution with SYSTEM privileges.

For Platform Teams

Deploy the updated ECS agent version 1.103.0 across ECS Windows worker instances to resolve the command injection issue (CVE-2026-7461) and maintain the security and integrity of your containerized applications.

For Executives

Implement the latest ECS agent version 1.103.0 to mitigate the OS command injection vulnerability (CVE-2026-7461) and ensure the security of your containerized applications running on ECS Windows worker instances.

Source

View original AWS announcement →

https://aws.amazon.com/security/security-bulletins/rss/2026-024-aws/

Related Amazon ECS Updates

Amazon ECS with AWS Fargate now supports 32vCPU compute configurations (2026-06-05)
Amazon ECS Managed Instances now supports AWS Trainium and AWS Inferentia (2026-06-03)
ECS supports native integration with Amazon EBS volumes in GovCloud Regions (2026-05-20)
Amazon ECS introduces pause and continue controls for service deployments (2026-05-19)
CVE-2026-7461 - OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials (2026-05-01)

Actions

Technical Details

What This Means

Source

Related Amazon ECS Updates

Weekly AWS Digest in Your Inbox