{"data":{"id":"debc845d-9902-47e4-9e26-d181f099e420","title":"CVE-2026-15746: Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provide","summary":"Strands Agents is an open-source Python SDK for building AI agents, and its elasticsearch_memory tool (used for storing agent memory) had a server-side request forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended destinations). The tool allowed the LLM to control connection settings, so a crafted prompt could make it connect to an attacker's server and leak the operator's Elasticsearch API key in the process.","solution":"Upgrade to strands-agents-tools version 0.7.0 or later. Additionally, all operators should rotate their ELASTICSEARCH_API_KEY environment variable as a precautionary measure, even if there is no evidence the credential was exposed.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-15746","publishedAt":"2026-07-15T19:16:57.773Z","cveId":"CVE-2026-15746","cweIds":["CWE-918"],"cvssScore":"6.5","cvssSeverity":"medium","severity":"medium","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Strands Agents","strands-agents-tools"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-07-15T19:16:57.773Z","capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}