Cybersecurity researchers have unveiled a novel technique enabling data exfiltration from AI code execution environments through the exploitation of Domain Name System (DNS) queries. This discovery, detailed in a recent report, highlights potential security gaps in how artificial intelligence services handle sensitive information and network isolation.
BeyondTrust, a cybersecurity firm, disclosed that a specific vulnerability in Amazon Bedrock AgentCore Code Interpreter’s sandbox mode permits outbound DNS queries. Attackers can leverage this design to establish interactive shells and circumvent network isolation controls, posing a significant risk to data security. While the vulnerability lacks a CVE identifier, it has been assigned a CVSS score of 7.5 out of 10.0, indicating a high severity.
Amazon Bedrock AgentCore Code Interpreter, launched in August 2025, is designed to provide AI agents with secure, isolated sandbox environments for code execution, preventing unauthorized access to external systems. However, the allowance of DNS queries, even under a “no network access” configuration, presents a critical pathway for malicious actors.
According to Kinnaird McQuade, chief security architect at BeyondTrust, threat actors can exploit this by establishing command-and-control channels and exfiltrating data over DNS. This bypasses expected network isolation, potentially exposing sensitive information if the agent’s IAM role grants access to AWS resources like S3 buckets.
In an experimental attack scenario, this DNS abuse can facilitate bidirectional communication, granting attackers an interactive reverse shell. They can then exfiltrate sensitive data and execute commands by embedding them within DNS queries and responses. Furthermore, the DNS communication mechanism can be used to deliver additional payloads. These payloads instruct the Code Interpreter to poll a DNS command-and-control (C2) server for commands stored in DNS A records, execute them, and then report the results back via DNS subdomain queries.
A contributing factor to this vulnerability is the potential for overprivileged IAM roles to be assigned to the Code Interpreter service, granting it extensive permissions to access sensitive data. This oversight can significantly amplify the impact of a successful exploit.
“This research demonstrates how DNS resolution can undermine the network isolation guarantees of sandboxed code interpreters,” BeyondTrust stated. “By using this method, attackers could have exfiltrated sensitive data from AWS resources accessible via the Code Interpreter’s IAM role, potentially causing downtime, data breaches of sensitive customer information, or deleted infrastructure.”
AI Observability Platforms Face New Security Challenges
Following a responsible disclosure in September 2025, Amazon has indicated that this behavior is intended functionality rather than a defect. The company advises customers to utilize VPC mode for complete network isolation and recommends implementing a DNS firewall to filter outbound DNS traffic. This proactive approach aims to mitigate risks associated with using sandbox environments for sensitive workloads.
Jason Soroko, senior fellow at Sectigo, emphasized the need for administrators to review active AgentCore Code Interpreter instances. He strongly recommends migrating any instances handling critical data from Sandbox mode to VPC mode. “Operating within a VPC provides the necessary infrastructure for robust network isolation,” Soroko explained. “This allows teams to implement strict security groups, network ACLs, and Route53 Resolver DNS Firewalls to monitor and block unauthorized DNS resolution.” He also stressed the importance of rigorously auditing IAM roles attached to these interpreters, enforcing the principle of least privilege to minimize the potential impact of a compromise.
Meanwhile, additional security concerns have emerged within the AI ecosystem. Miggo Security recently disclosed a high-severity flaw in LangSmith (CVE-2026-25750, CVSS 8.5), which could lead to token theft and account takeover. This vulnerability, affecting both self-hosted and cloud deployments of the AI observability platform, was addressed in LangSmith version 0.12.71 released in December 2025.
The LangSmith vulnerability stems from a lack of validation on the `baseUrl` parameter in URL parameters. This allows attackers to steal a signed-in user’s bearer token, user ID, and workspace ID by tricking victims into clicking a specially crafted link. The stolen information can then be transmitted to a server controlled by the attacker.
Successful exploitation of the LangSmith flaw could grant attackers unauthorized access to the AI’s trace history, internal SQL queries, CRM customer records, or proprietary source code by reviewing tool calls. Miggo researchers noted that a logged-in LangSmith user could be compromised simply by visiting an attacker-controlled site or clicking a malicious link, highlighting the critical nature of AI observability platforms as integral infrastructure that, while prioritizing flexibility, can inadvertently bypass security guardrails.
Further security issues have been identified in SGLang, a popular open-source framework for serving large language models. These vulnerabilities, discovered by Orca Security researcher Igor Stepansky, relate to unsafe pickle deserialization and could permit remote code execution. As of writing, these flaws remain unpatched.
The identified SGLang vulnerabilities include:
- CVE-2026-3059 (CVSS 9.8): An unauthenticated remote code execution vulnerability through the ZeroMQ (ZMQ) broker, which deserializes untrusted data using pickle.loads() without authentication. This affects SGLang’s multimodal generation module.
- CVE-2026-3060 (CVSS 9.8): An unauthenticated remote code execution vulnerability through the disaggregation module, which also deserializes untrusted data using pickle.loads() without authentication. This impacts SGLang’s encoder parallel disaggregation system.
- CVE-2026-3989 (CVSS 7.8): Insecure deserialization in SGLang’s “replay_request_dump.py” in which an insecure pickle.load() function is used without validation, exploitable by providing a malicious pickle file.
“The first two allow unauthenticated remote code execution against any SGLang deployment that exposes its multimodal generation or disaggregation features to the network,” Stepansky stated. “The third involves insecure deserialization in a crash dump replay utility.”
The CERT Coordination Center (CERT/CC) confirmed that SGLang is vulnerable to CVE-2026-3059 when the multimodal generation system is enabled and to CVE-2026-3060 when the encoder parallel disaggregation system is enabled. If an attacker knows the TCP port on which the ZMQ broker is listening and can send requests to the server, they can exploit these vulnerabilities by sending a malicious pickle file.
Users of SGLang are advised to restrict access to the service interfaces and ensure they are not exposed to untrusted networks. Implementing adequate network segmentation and access controls is also crucial to prevent unauthorized interaction with ZeroMQ endpoints. While there is no current evidence of these SGLang vulnerabilities being exploited in the wild, organizations should monitor for unexpected inbound TCP connections to the ZeroMQ broker port, unusual child processes spawned by the SGLang Python process, unexpected file creation by the SGLang process, and outbound connections from SGLang to unknown destinations.