6.5 CVE-2026-15746
Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearch_memory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery (SSRF) issue in the elasticsearch_memory tool. The tool exposed its connection parameters (es_url, cloud_id, api_key) as fields the large language model (LLM) could control through the tool schema. When a caller omitted the api_key parameter, the tool fell back to the operator's ELASTICSEARCH_API_KEY environment variable and sent it to whichever host the LLM specified. A crafted prompt could cause the tool to connect to a threat-actor-controlled server and disclose the operator's Elasticsearch API key in the Authorization header.
We recommend you upgrade to strands-agents-tools version 0.7.0 or later. As a precautionary measure, we recommend all operators rotate their ELASTICSEARCH_API_KEY, even if there is no indication the credential was exposed.
https://nvd.nist.gov/vuln/detail/CVE-2026-15746
Categories
CWE-918 : Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Cross Site Port Attack Server-Side Request Forgery Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) SSRF in LLM toolkit accesses arbitrary URLs for images, as exploited in the wild in April 2026 to conduct port scanning [REF-1519] SSRF in LLM application development framework because the URL retriever allows connections to local addresses using a crafted Location header Chain: LLM integration framework has prompt injection(CWE-1427) that allows an attacker to force the service to retrievedata from an arbitrary URL, essentially providing SSRF (CWE-918) andpotentially injecting content into downstream tasks. Server Side Request Forgery (SSRF) in mail server, as exploited in the wild per CISA KEV. Server Side Request Forgery in cloud platform, as exploited in the wild per CISA KEV. Chain: incorrect validation of intended decimal-based IP address format (CWE-1286) enables parsing of octal or hexadecimal formats (CWE-1389), allowing bypass of an SSRF protection mechanism (CWE-918). Web server allows attackers to request a URL from another server, including other ports, which allows proxied scanning. CGI script accepts and retrieves incoming URLs. Web-based mail program allows internal network scanning using a modified POP3 port number. URL-downloading library automatically follows redirects to file:// and scp:// URLs
References
ff89ba41-3aa1-4d27-914a-91399e9639e5
AFFECTED (from MITRE)
| Vendor |
Product |
Versions |
| Amazon |
strands-agents-tools |
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:amazon:strands-agents-tools:*:*:*:*:*:*:*:* |
>= 0 |
< 0.7.0 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 664 |
Server Side Request Forgery
[Find target application] Find target web application that accepts a user input and retrieves data from the server [Examine existing application requests] Examine HTTP/GET requests to view the URL query format. Adversaries test to see if this type of attack is possible through weaknesses in an application's protection to Server Side Request Forgery [Malicious request] Adversary crafts a malicious URL request that assumes the privilege level of the server to query internal or external network services and sends the request to the application |
High |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer