Incorrect Permission Assignment for Critical Resource Affecting awscli package, versions [,1.44.78)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (2nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-AWSCLI-17796103
  • published2 Jul 2026
  • disclosed1 Jul 2026
  • creditUnknown

Introduced: 1 Jul 2026

NewCVE-2026-13769  (opens in a new tab)
CWE-732  (opens in a new tab)

How to fix?

Upgrade awscli to version 1.44.78 or higher.

Overview

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the _create_config path in awscli/customizations/codedeploy/register.py. An attacker can read the CodeDeploy on-premises configuration file by accessing it on the same Unix-like host after aws deploy register writes credential-bearing data, because the file is created with default open(..., 'w') permissions that can leave it world-readable. This exposes the region, IAM user ARN, access key ID, and secret access key to other local users, allowing them to reuse the credentials and impersonate the registered on-premises instance.

Notes

  • On Unix-like systems, the vulnerable path depends on the process umask when aws deploy register creates DEFAULT_CONFIG_FILE; with the common default umask, the file can end up mode 0644 and readable by other local users.
  • The issue applies to the on-premises CodeDeploy registration flow that writes the credential-bearing instance config file for later use by aws deploy install --config-file, not to the general aws CLI profile/config file handling.

Workarounds

  • Run aws deploy register only on hosts where other local users are trusted, or isolate the registration on a single-user machine, to prevent same-host users from reading the generated CodeDeploy configuration file and reusing the embedded credentials.
  • Restrict access to the generated CodeDeploy configuration file named by DEFAULT_CONFIG_FILE so only the intended account can read it, to prevent disclosure of the region, IAM user ARN, access key ID, and secret access key to other local users.

CVSS Base Scores

version 4.0
version 3.1