Researchers disclosed a method to exfiltrate sensitive data from AI code execution sandboxes by abusing outbound DNS queries in Amazon Bedrock AgentCore Code Interpreter’s sandbox mode, enabling interactive shells and bypassing network isolation. BeyondTrust and others warn this DNS mechanism can enable command-and-control and data theft if AgentCore is given overprivileged IAM roles, and related high-severity issues were reported in LangSmith and SGLang. #AmazonBedrock #SGLang
Keypoints
- Amazon Bedrock AgentCore Code Interpreter’s sandbox mode allows outbound DNS queries that can be abused for bidirectional DNS command-and-control and interactive reverse shells.
- Attackers can exfiltrate AWS data (for example from S3) via DNS queries if the Code Interpreter is assigned an overprivileged IAM role.
- Amazon recommends migrating critical workloads from Sandbox mode to VPC mode and deploying DNS firewalls to enforce complete network isolation.
- LangSmith had a URL parameter injection (CVE-2026-25750) that could steal bearer tokens and enable account takeover, fixed in LangSmith v0.12.71.
- SGLang contains severe pickle deserialization flaws (CVE-2026-3059, CVE-2026-3060, CVE-2026-3989) allowing unauthenticated remote code execution; restrict ZeroMQ exposure and monitor for anomalous SGLang activity.
Read More: https://thehackernews.com/2026/03/ai-flaws-in-amazon-bedrock-langsmith.html