GHSA-g697-2xrc-gc46

Source

https://github.com/advisories/GHSA-g697-2xrc-gc46

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-g697-2xrc-gc46/GHSA-g697-2xrc-gc46.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g697-2xrc-gc46

Aliases

CVE-2026-9291

Published

2026-06-25T18:34:18Z

Modified

2026-06-25T18:45:28.736077800Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

amazon-braket-sdk vulnerable to Insecure Deserialization via pickle.loads()

Details

Summary Amazon Braket SDK is an open-source Python library for interacting with the Amazon Braket quantum computing service, including managing hybrid quantum jobs and retrieving job results. An issue exists where, under certain circumstances, a remote authenticated user with S3 write access to a Braket job output bucket can achieve arbitrary code execution by exploiting insecure deserialization in the job results processing component.

Impact The SDK's deserializevalues() function reads the dataFormat field directly from the job results JSON file without validation. An actor with write access to the victim's S3 job output bucket can modify the dataFormat field in results.json from PLAINTEXT to pickledv4 and replace dataDictionary values with base64-encoded executable payloads. When the victim calls job.result(), loadjobresult(), or loadjobcheckpoint() as part of their normal Braket workflow, the SDK calls pickle.loads() on the actor-controlled data, executing arbitrary code with the victim's permissions.

Impacted versions: >= v1.10.0 AND < 1.117.0

Patches This issue has been addressed in amazon-braket-sdk version 1.117.0. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds If users cannot upgrade immediately:

Restrict S3 bucket policies on the Braket job output buckets to enforce least-privilege access, ensuring only trusted principals have s3:PutObject permissions. This limits an an actor's ability to plant an executable payload.
Validate the dataFormat field in job result metadata before calling job.result(). Refuse to process results where the format is pickled_v4 if it did not explicitly configure pickle serialization.

References If users have any questions or comments about this advisory, amazon-braket-sdk asks that users contact AWS Security via the vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Database specific

{
    "nvd_published_at": "2026-05-22T19:17:05Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T18:34:18Z",
    "severity": "HIGH"
}

References

Affected packages

PyPI / amazon-braket-sdk

Package

Name: amazon-braket-sdk; View open source insights on deps.dev
Purl: pkg:pypi/amazon-braket-sdk

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.10.0

Fixed

1.117.0

Affected versions

1.*

1.10.0

1.11.0

1.11.1

1.12.0

1.13.0

1.14.0

1.14.0.post0

1.15.0

1.16.0

1.16.1

1.17.0

1.18.0

1.18.0.post0

1.18.1

1.18.2

1.19.0

1.20.0

1.21.0

1.21.1

1.22.0

1.23.0

1.23.1

1.23.2

1.24.0

1.25.0

1.25.1

1.25.1.post0

1.25.2

1.26.0

1.26.1

1.26.2

1.27.0

1.27.1

1.28.0

1.28.1

1.29.0

1.29.0.post0

1.29.1

1.29.2

1.29.3

1.29.4

1.30.0

1.30.1

1.30.2

1.31.0

1.31.1

1.32.0

1.32.1

1.32.1.post0

1.33.0

1.33.0.post0

1.33.1

1.33.2

1.34.0

1.34.1

1.34.2

1.34.3

1.34.3.post0

1.35.0

1.35.1

1.35.2

1.35.3

1.35.4

1.35.4.post0

1.35.5

1.36.0

1.36.1

1.36.2

1.36.2.post0

1.36.3

1.36.4

1.36.5

1.37.0

1.37.1

1.38.0

1.38.1

1.38.2

1.38.3

1.39.0

1.39.1

1.40.0

1.41.0

1.42.0

1.42.1

1.42.2

1.43.0

1.44.0

1.45.0

1.46.0

1.47.0

1.48.0

1.48.1

1.49.0

1.49.1

1.49.1.post0

1.50.0

1.51.0

1.52.0

1.53.0

1.53.0.post0

1.53.1

1.53.2

1.53.3

1.53.4

1.54.0

1.54.1

1.54.2

1.54.3

1.54.3.post0

1.55.0

1.55.1

1.55.1.post0

1.56.0

1.56.1

1.56.2

1.57.0

1.57.1

1.57.2

1.58.0

1.58.1

1.59.0

1.59.1

1.59.1.post0

1.59.2

1.60.2

1.61.0

1.61.0.post0

1.62.0

1.62.1

1.63.0

1.64.0

1.64.1

1.64.2

1.65.0

1.65.1

1.66.0

1.67.0

1.68.0

1.68.1

1.68.2

1.68.3

1.69.0

1.69.1

1.70.0

1.70.1

1.70.2

1.70.3

1.71.0

1.72.0

1.72.1

1.72.2

1.73.0

1.73.1

1.73.2

1.73.3

1.74.0

1.74.1

1.75.0

1.76.0

1.76.1

1.76.2

1.76.3

1.77.0

1.77.1

1.77.2

1.77.3

1.77.3.post0

1.77.4

1.77.5

1.77.6

1.78.0

1.79.0

1.79.1

1.80.0

1.80.1

1.81.0

1.81.1

1.82.0

1.83.0

1.84.0

1.85.0

1.86.0

1.86.1

1.87.0

1.87.1

1.88.0

1.88.1

1.88.2

1.88.2.post0

1.88.3

1.89.0

1.89.1

1.90.0

1.90.1

1.90.2

1.91.0

1.91.1

1.91.2

1.92.0

1.93.0

1.94.0

1.95.0

1.96.0

1.96.1

1.97.0

1.98.0

1.99.0

1.100.0

1.100.1

1.101.0

1.101.0.post0

1.102.0

1.102.1

1.102.2

1.102.3

1.102.4

1.102.5

1.102.6

1.102.7

1.102.8

1.102.9

1.102.10

1.103.0

1.104.0

1.104.1

1.105.0

1.106.0

1.106.1

1.106.2

1.106.3

1.106.4

1.106.5

1.107.0

1.108.0

1.108.1

1.109.0

1.110.0

1.110.1

1.111.0

1.111.1

1.111.2

1.112.0

1.112.1

1.113.0

1.113.1

1.114.0

1.115.0

1.116.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-g697-2xrc-gc46/GHSA-g697-2xrc-gc46.json"