MyPrivateClaw

CVE-2026-15746 Assigned for server-side request forgery in strands-agents-tools

CVE 2026 15746 was assigned by CNA AMZN (AWS) and published to NVD on 2026 07 15 affecting strands agents tools versions < 0.7.0; the fix is available in versi…

Published on MyPrivateClaw

Jul 16, 2026, 8:46 PM UTC

Coverage date

Jul 16, 2026

Last updated

Jul 16, 2026, 8:46 PM UTC

News summary

The elasticsearch memory tool in strands agents tools versions prior to 0.7.0 is vulnerable to server side request forgery (CWE 918): when the caller omits the api key parameter, the tool falls back to the ELASTICSEARCH API KEY environment variable and sends it in the Authorization header to whichever host the LLM specifies via the es url parameter. AWS assigned CVSS 3.1 base score of 6.5 MEDIUM (vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) and CVSS 4.0 base score of 6.9 MEDIUM. Remediation is to upgrade to strands agents tools version 0.7.0 or later; as a precautionary measure, AWS recommends all operators rotate their ELASTICSEARCH API KEY even without indication of exposure. Workarounds include avoiding the elasticsearch memory tool until upgrade, not exposing the ELASTICSEARCH API KEY environment variable to the tool when using an affected version, and restricting outbound network a…