AIKIDO-2026-10391
aws-runtime is vulnerable to Missing Authentication
65
Medium Risk
This Affects:
aws-runtimeTL;DR
Client codegen for event stream operations that include an initial-request message serializes that message to bytes and chains it to the stream before the MessageStreamAdapter. The adapter signs messages in its poll_next path, but the initial message is already bytes when chained, so it is never signed. Event stream operations that require SigV4 therefore send the initial-request message unsigned while subsequent messages are signed, allowing authentication failures or inconsistent validation by services that expect the initial message to be signed. The fix routes the initial message through the same marshalling and signing pipeline as regular events so it is signed by the adapter.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
aws-runtime is vulnerable to Missing Authentication in versions 1.0.0 - 1.7.1.
How to fix this
Upgrade the aws-runtime library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant