A command injection vulnerability has been disclosed affecting Amazon ECS on Windows, tracked publicly without a formal CVE identifier and rated medium severity. The flaw reportedly allows an attacker to inject operating system commands through the ECS Windows component, potentially leading to unauthorized command execution within affected container environments. No public reports of active exploitation have been identified, and AWS customers running ECS on Windows should review AWS security bulletins and apply mitigations or updates as they become available. Other sources reviewed did not contain AWS-specific security events and were excluded.
AWS published security bulletin AWS-2026-026 covering CVE-2026-31431. The bulletin appears on the official AWS security bulletins feed, indicating an advisory affecting an AWS service or component, though specific technical details, affected services, and remediation guidance were not retrievable from the provided excerpt. Customers should consult the AWS bulletin directly to determine impact and required action. The other sources referenced (Apache HTTP/2 RCE, Q1 2026 vulnerability landscape, and a CVE refresh-planning article) are not AWS-specific and were excluded.