PULSE
LIVE17signals / 24h
FEED
ransomdoommageddon reclama a Reni Farmácias Associadas · BR · Healthcareransomunsafe reclama a CCR Solutions · BR · Business Servicesransomqilin reclama a PP+K · BR · Not Foundransomqilin reclama a Eana · AR · Not Foundransomqilin reclama a Synergy Products · TR · Not Foundransomnova reclama a meralmanisa · TR · Not Foundransomnova reclama a Dephub · ID · Not Foundransomnova reclama a Jota Joias Premium · BR · Consumer Servicesransomqilin reclama a Don Tortaco Mexican Grill · US · Hospitality and Tourismransomqilin reclama a Associated Theatrical Contractors · US · Business Servicesransompayload reclama a CKR Consulting Engineers · Business Servicesransomblackout reclama a yano.tokyo · JP · Technologyransomblackout reclama a www.miatech.net · US · Technologyransomblackout reclama a bluebellgroup.com · GB · Not Foundransomdoommageddon reclama a Reni Farmácias Associadas · BR · Healthcareransomunsafe reclama a CCR Solutions · BR · Business Servicesransomqilin reclama a PP+K · BR · Not Foundransomqilin reclama a Eana · AR · Not Foundransomqilin reclama a Synergy Products · TR · Not Foundransomnova reclama a meralmanisa · TR · Not Foundransomnova reclama a Dephub · ID · Not Foundransomnova reclama a Jota Joias Premium · BR · Consumer Servicesransomqilin reclama a Don Tortaco Mexican Grill · US · Hospitality and Tourismransomqilin reclama a Associated Theatrical Contractors · US · Business Servicesransompayload reclama a CKR Consulting Engineers · Business Servicesransomblackout reclama a yano.tokyo · JP · Technologyransomblackout reclama a www.miatech.net · US · Technologyransomblackout reclama a bluebellgroup.com · GB · Not Found
← All CVEs
CVE WatchJul 15, 2026

CVE-2026-15746

Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools fo

CVSS

6.5

Medium

EPSS

0.2%

p16

KEV

Exploit Today

5

0-100

Published: Jul 15, 2026 · Last modified: Jul 15, 2026 · CWE-918

EPSS · 30d
0.2%EPSS · 30 days0.2%
2026-07-162026-07-19
Technical description

Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearch_memory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery (SSRF) issue in the elasticsearch_memory tool. The tool exposed its connection parameters (es_url, cloud_id, api_key) as fields the large language model (LLM) could control through the tool schema. When a caller omitted the api_key parameter, the tool fell back to the operator's ELASTICSEARCH_API_KEY environment variable and sent it to whichever host the LLM specified. A crafted prompt could cause the tool to connect to a threat-actor-controlled server and disclose the operator's Elasticsearch API key in the Authorization header. We recommend you upgrade to strands-agents-tools version 0.7.0 or later. As a precautionary measure, we recommend all operators rotate their ELASTICSEARCH_API_KEY, even if there is no indication the credential was exposed.

Official references
Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-202308.6 HIG
98.5%
KEV80Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability18d
CVE-2026-1540910.0 CRI
66.5%
KEV70SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability4d
CVE-2020-248819.8 CRI
99.4%
30SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.9d
CVE-2026-445788.6 HIG
98.4%
30Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the server to proxy requests to arbitrary internal or external destinations, which may expose internal services or cloud metadata endpoints. Vercel-hosted deployments are not affected. This vulnerability is fixed in 15.5.16 and 16.2.5.3d
CVE-2023-271597.5 HIG
98.3%
29Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request.11d
CVE-2026-483327.7 HIG
95.7%
29ColdFusion is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction. Scope is changed.4d