CVE-2026-9291 is a high-severity insecure deserialization vulnerability in amazon-braket-sdk (pip), affecting versions >= 1.10.0, < 1.117.0. It is fixed in 1.117.0.
Summary Amazon Braket SDK is an open-source Python library for interacting with the Amazon Braket quantum computing service, including managing hybrid quantum jobs and retrieving job results. An issue exists where, under certain circumstances, a remote authenticated user with S3 write access to a Braket job output bucket can achieve arbitrary code execution by exploiting insecure deserialization in the job results processing component. Impact The SDK's deserializevalues() function reads the dataFormat field directly from the job results JSON file without validation. An actor with write access to the victim's S3 job output bucket can modify the dataFormat field in results.json from PLAINTEXT to pickledv4 and replace dataDictionary values with base64-encoded executable payloads. When the victim calls job.result(), loadjobresult(), or loadjobcheckpoint() as part of their normal Braket workflow, the SDK calls pickle.loads() on the actor-controlled data, executing arbitrary code with the victim's permissions. Impacted versions: >= v1.10.0 AND < 1.117.0 Patches This issue has been addressed in amazon-braket-sdk version 1.117.0. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. Workarounds If users cannot upgrade immediately: Restrict S3 bucket policies on the Braket job output buckets to enforce least-privilege access, ensuring only trusted principals have s3:PutObject permissions. This limits an an actor's ability to plant an executable payload. Validate the dataFormat field in job result metadata before calling job.result(). Refuse to process results where the format is pickled_v4 if it did not explicitly configure pickle serialization. References If users have any questions or comments about this advisory, amazon-braket-sdk asks that users contact AWS Security via the vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2026-9291 has a CVSS score of 7.1 (High). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.117.0). Upgrading removes the vulnerable code path.
pip
amazon-braket-sdk (>= 1.10.0, < 1.117.0)amazon-braket-sdk → 1.117.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-9291 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-9291 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-9291 in your environment →Upgrade amazon-braket-sdk to 1.117.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-9291 is a high-severity insecure deserialization vulnerability in amazon-braket-sdk (pip), affecting versions >= 1.10.0, < 1.117.0. It is fixed in 1.117.0. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
CVE-2026-9291 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
amazon-braket-sdk (pip) versions >= 1.10.0, < 1.117.0 is affected.
Yes. CVE-2026-9291 is fixed in 1.117.0. Upgrade to this version or later.
Whether CVE-2026-9291 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade amazon-braket-sdk to 1.117.0 or later.