AWS Bedrock Client Library in Kibana Fork Exposes Critical Vulnerability (CVSS 9.8)

A security scanner has flagged a critical vulnerability in a non-standard Kibana repository containing the AWS Bedrock client library. The client-bedrock-runtime-3.687.0.tgz package harbors eight distinct vulnerabilities, with the highest reaching a CVSS score of 9.8—placing it in the critical severity range. The exposure was detected through WhiteSource dependency scanning within a forked Kibana repository maintained by user amaybaum-prod, specifically in commit 7404e685ae6cf7f87b0d75635f2e80424cd20d57.

The vulnerability path traces through the package.json dependency configuration, exposing the flawed library directly to any systems consuming this modified codebase. CVE-2026-41907 represents the primary identified flaw, with the exposure marked as reachable—a classification indicating that attackers could potentially exploit the vulnerability through expected application workflows rather than requiring complex manipulation. This reachability status elevates the practical risk beyond what raw CVSS scoring might suggest.

The findings raise concerns for any teams operating derivative Kibana builds or integrating the AWS Bedrock runtime client in production environments. While a fix is reportedly available in a later version of client-bedrock-runtime, the presence of this exposure in a maintained repository suggests potential delays in patch deployment. Security teams should audit their dependency trees for this specific library version and prioritize updates, particularly given the AWS Bedrock context—which implies machine learning inference workloads potentially handling sensitive data or infrastructure credentials.