Bundled Python 3.14.3 in AWS CLI v2 installer affected by CVE-2026-4519

[stecasta]

The AWS CLI v2 Linux installer (https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip) bundles Python 3.14.3 as libpython3.14.so.1.0 under /usr/local/aws-cli/v2/2.34.28/dist/.

Python 3.14.3 is affected by CVE-2026-4519. The fix is available in Python 3.14.4, released April 8 (cpython#148031).

This is causing container security scan failures (Anchore/Grype) for anyone using the official AWS CLI v2 installer in Docker images, as the bundled libpython3.14.so is detected as vulnerable.

Could the installer be rebuilt with Python 3.14.4?

Affected versions: AWS CLI v2 2.34.26, 2.34.27, 2.34.28 (and likely earlier)
Fixed in: Python 3.14.4, 3.13.13, 3.15.0a8

[ashovlin]

We're actively working on upgrading to 3.14.4 in the installers. That'll clear the OpenSSL results for #10040 and #10136 as well.

[stecasta]

Thank you @ashovlin! Do you have a rough ETA in mind?

[aemous]

The bundled OpenSSL version has been updated to 3.0.19 , and the bundled Python interpreter has been updated to version 3.14.4, as of AWS CLI version 2.34.30, or later. Closing Issue.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.