no.security
About

Comprehensive cybersecurity intelligence covering threats, vulnerabilities, research, policy, and industry developments

13 min read · 12 stories

Daily Security Brief - January 20, 2026

🔄 Updates on Previous Stories

Microsoft January 2026 Patch Tuesday (Covered Jan 14)

The full scope of Microsoft’s January 2026 Patch Tuesday has now been fully analyzed. Beyond the CVE-2026-20805 zero-day we covered last week, the update addresses 114 total vulnerabilities including 8 Critical-rated flaws and 3 confirmed zero-days. Organizations should prioritize the Windows Desktop Window Manager (DWM) information disclosure (CVE-2026-20805), which is under active exploitation, along with critical RCE vulnerabilities in LSASS (CVE-2026-20854) and NTFS (CVE-2026-20922, CVE-2026-20840).

🔬 Security Research & Innovation

CodeBreach: AWS CodeBuild Supply Chain Vulnerability Exposed AWS Console Risk

Type: Supply Chain Attack Research | Source: Wiz Research | Status: Patched (Sep 2025)

Wiz Research has publicly disclosed CodeBreach, a critical supply chain vulnerability that could have allowed complete takeover of core AWS GitHub repositories—including the AWS JavaScript SDK that powers 66% of all cloud environments and the AWS Console itself.

The vulnerability stemmed from a subtle but devastating flaw: unanchored regex patterns in AWS CodeBuild webhook ACTOR_ID filters. The filter 12345|67890 was intended to allow only specific trusted maintainer IDs to trigger builds, but without regex anchors (^ and $), the regex engine matched any ID containing those digits as a substring.

The Attack Chain:

  1. GitHub assigns sequential numeric IDs to new users (~200,000 per day)
  2. Researchers calculated when a new ID would “eclipse” a trusted maintainer’s ID
  3. By timing 200 simultaneous GitHub App creations, they captured ID 226755743 which contained the trusted maintainer ID
  4. Submitted a PR with a hidden payload that triggered a build and extracted GitHub credentials
  5. Obtained full admin access to aws-sdk-js-v3 and related repositories

The stolen token belonged to aws-sdk-js-automation, which had full admin privileges over the SDK repository, including the ability to push directly to main, approve PRs, and access repository secrets. An attacker could have injected malicious code into the weekly SDK release, compromising the AWS Console itself—a supply chain attack of unprecedented scope.

Why This Matters:

  • Massive Blast Radius: The JavaScript SDK is bundled into the AWS Console, meaning every AWS account could have been affected
  • Pattern Recognition: This follows similar CI/CD attacks against Amazon Q, Nx, and other supply chain targets
  • Industry Wake-Up Call: CI/CD pipelines are becoming prime targets due to their complexity, untrusted data handling, and privileged credentials

Key Mitigations for CodeBuild Users:

  • Enable the new Pull Request Comment Approval build gate
  • Always anchor regex patterns with ^ and $
  • Use fine-grained PATs with minimum required permissions
  • Consider dedicated unprivileged accounts for CI integrations

References: Wiz Research Blog, AWS Security Bulletin 2026-002, The Hacker News

🔓 Vulnerabilities & Patches

Node.js Critical DoS Vulnerability Affects Virtually All Production Apps

CVE: CVE-2025-59466 | CVSS: 7.5 (High) | Products: Node.js (All Versions) | Status: Patched

Node.js has released emergency security updates addressing a critical denial-of-service vulnerability in the async_hooks module that can crash virtually every production Node.js application. The vulnerability causes unrecoverable stack space exhaustion, leading to server crashes.

The issue is particularly concerning because Node.js/V8’s best-effort recovery from stack exhaustion—which frameworks like React and Next.js rely on for service continuity—can be bypassed. This affects APM (Application Performance Monitoring) tools and any application using async hooks for tracing or monitoring.

Technical Details:

  • Stack overflow in async_hooks causes immediate process termination
  • No graceful error handling possible due to stack exhaustion
  • Affects monitoring tools, APM agents, and tracing implementations

Mitigation Steps:

  • Update to the latest Node.js LTS versions immediately
  • Review applications using async_hooks for potential exposure
  • Monitor for unexpected server crashes in production

References: Node.js Security Blog

Hono JWT Algorithm Confusion Vulnerabilities Allow Authentication Bypass

CVE: CVE-2026-22817, CVE-2026-22818 | CVSS: 8.1 (High) | Products: Hono < 4.11.4 | Status: Patched

Two critical JWT algorithm confusion vulnerabilities have been discovered in Hono, the popular Web application framework supporting multiple JavaScript runtimes. Both vulnerabilities allow attackers to forge valid JWT tokens and bypass authentication entirely.

CVE-2026-22817 affects the standard JWT middleware when no algorithm is explicitly specified. The middleware defaults to HS256, allowing an attacker with access to the public key (used for RS256) to forge tokens signed with HS256 using the public key as the secret.

CVE-2026-22818 affects the JWK/JWKS verification middleware. When the JWK lacks an explicit “alg” field, the middleware falls back to the algorithm specified in the untrusted JWT header, enabling algorithm confusion attacks.

Attack Scenario:

  1. Attacker observes application uses RS256 (asymmetric) authentication
  2. Attacker obtains the public key (often publicly available)
  3. Attacker crafts JWT with HS256 algorithm, signing with the public key
  4. Vulnerable middleware accepts the forged token as valid

Technical Details:

  • Algorithm confusion allows symmetric/asymmetric key misuse
  • Public keys treated as HMAC secrets enable token forgery
  • Complete authentication bypass possible

Mitigation Steps:

  • Upgrade Hono to version 4.11.4 or later immediately
  • Explicitly specify expected algorithms in JWT verification
  • Never derive verification algorithm from untrusted JWT headers

References: GitHub Advisory GHSA-3vhc-576x-3qv4, GitHub Advisory GHSA-f67f-6cw9-8mq4

Renovate Bot: Six Command Injection Vulnerabilities Enable Remote Code Execution

CVE: Multiple | CVSS: 8.8 (High) | Products: Renovate | Status: Patched

Six distinct command injection vulnerabilities have been disclosed in Renovate, the widely-used automated dependency update tool. These vulnerabilities allow attackers to execute arbitrary commands on systems running Renovate by crafting malicious configuration files or repository content.

Affected Managers and Attack Vectors:

ManagerAttack VectorAdvisory
helmv3Malicious Chart.yaml fileGHSA-3f44-xw83-3pmg
gleamMalicious gleam.toml fileGHSA-xjr7-3c3g-m763
hermitMaliciously named dependenciesGHSA-36j9-mx87-2cff
npmMalicious Renovate configurationGHSA-fr4j-65pv-gjjj
kustomizeMalicious helm repositoryGHSA-xv56-3wq5-9997
Gradle WrapperMalicious distributionUrlGHSA-pfq2-hh62-7m96

Risk Assessment:

  • Organizations using Renovate for automated dependency updates are at risk
  • Attackers can poison public repositories to target downstream users
  • Self-hosted Renovate instances may have broader system access

Mitigation Steps:

  • Update Renovate to the latest patched version
  • Audit Renovate configurations and restrict untrusted repository access
  • Implement sandboxing for Renovate execution environments
  • Review fork/PR policies for repositories using Renovate

References: Renovate Security Advisories

Cosign Verification Bypass Undermines Software Supply Chain Security

CVE: CVE-2026-22XXX | CVSS: Medium | Products: sigstore/cosign | Status: Patched

A verification bypass vulnerability in cosign, the popular container signing and verification tool from Sigstore, allows malicious actors to construct valid-appearing bundles using arbitrary Rekor transparency log entries. This undermines the integrity guarantees that cosign provides for software supply chain security.

Under certain conditions, cosign’s verification process would accept any valid Rekor entry, even if it didn’t correspond to the artifact being verified. An attacker who has compromised a user’s identity or signing key could exploit this to pass verification checks with unrelated log entries.

Why This Matters:

  • Cosign is fundamental to container supply chain security
  • Many organizations rely on cosign for artifact verification
  • Transparency log integrity is critical for trust decisions

Mitigation Steps:

  • Update cosign to the latest patched version
  • Verify cosign configurations include proper bundle validation
  • Review verification policies for container deployments

References: GitHub Advisory GHSA-whqx-f9j3-ch6m

SAP January 2026 Patch Day: Critical SQL Injection in S/4HANA (CVSS 9.9)

CVE: CVE-2026-0501, CVE-2026-0496, CVE-2026-0495 | CVSS: 9.9 (Critical) | Products: SAP S/4HANA, NetWeaver | Status: Patched

SAP released 17 new security patches for January 2026, including a critical SQL injection vulnerability (Security Note #3687749) in SAP S/4HANA Private Cloud and On-Premise scoring CVSS 9.9. This vulnerability could allow authenticated attackers to execute arbitrary SQL commands, potentially leading to complete database compromise.

Critical Vulnerabilities Addressed:

  • SQL Injection in S/4HANA (CVSS 9.9): Allows database manipulation and data exfiltration
  • Multiple Remote Code Execution flaws: Affecting various SAP components
  • Authentication bypass vulnerabilities: In SAP NetWeaver components

Technical Details:

  • SQL injection requires authentication but has low attack complexity
  • Successful exploitation could compromise confidentiality, integrity, and availability
  • SAP applications often contain sensitive business data

Mitigation Steps:

  • Apply SAP Security Notes immediately, prioritizing #3687749
  • Review SAP application logs for suspicious SQL activity
  • Implement additional database monitoring for SAP systems

References: SAP Security Patch Day January 2026, Onapsis Analysis

Adobe January 2026: 25 CVEs Across 11 Products Including ColdFusion

CVE: Multiple | Products: ColdFusion, InDesign, Illustrator, Bridge, Substance 3D | Status: Patched

Adobe released 11 security bulletins addressing 25 vulnerabilities across multiple products. The most critical updates affect ColdFusion (APSB26-12), which is commonly deployed on internet-facing servers and has historically been targeted by attackers.

Highlighted Bulletins:

  • APSB26-12 (ColdFusion): Critical updates for web application platform
  • APSB26-02 (InDesign): Memory corruption and code execution flaws
  • APSB26-03 (Illustrator): Multiple arbitrary code execution vulnerabilities
  • APSB26-07 (Bridge): Memory safety issues
  • APSB26-08, APSB26-11 (Substance 3D): 3D modeling tool vulnerabilities

Mitigation Steps:

  • Prioritize ColdFusion updates for internet-facing deployments
  • Apply all Adobe Creative Cloud updates
  • Review automatic update policies for Adobe products

References: Adobe Security Bulletins, Zero Day Initiative Analysis

🎯 Threat Intelligence

GitHub Security Advisory Roundup: AI Tools and Development Infrastructure Under Fire

The January 2026 GitHub Security Advisories reveal a concerning trend: AI-powered development tools and infrastructure are increasingly targeted. Notable advisories include:

AI/ML Tools:

  • OpenCode (GHSA-c83v-7274-4vgp, GHSA-vxw4-wv6m-9hhh): The AI code assistant is vulnerable to XSS leading to command execution and unauthenticated HTTP server allowing arbitrary command execution
  • vLLM (GHSA-grg2-63fw-f2qr): DoS via malicious image payload in Idefics3 vision models
  • orval MCP (GHSA-mwr6-3gp8-9jmj): Code injection attack in Model Context Protocol client

CI/CD and Development Tools:

  • virtualenv (GHSA-597g-3phw-6986): TOCTOU vulnerabilities in directory creation
  • filelock (GHSA-qmgc-5h2g-mvrw): Symlink vulnerability in SoftFileLock
  • GuardDog (GHSA-xg9w-vg3g-6m68, GHSA-ffj4-jq7m-9g6v): Path traversal and zip bomb vulnerabilities in the malware detection tool

Pattern Analysis: Attackers are increasingly targeting the tools that developers trust to secure their environments, creating recursive trust issues where security tools themselves become attack vectors.

References: GitHub Security Advisories

📚 Best Practices & Guidance

AWS CodeBuild Security Hardening: Preventing CI/CD Pipeline Attacks

Source: AWS + Wiz Research | Topic: CI/CD Security | Audience: DevSecOps, Cloud Security

The CodeBreach disclosure provides actionable guidance for securing AWS CodeBuild pipelines:

Key Recommendations:

  1. Prevent Untrusted PR Builds:

    • Enable the new Pull Request Comment Approval build gate
    • Use CodeBuild-hosted runners managed via GitHub workflows
    • If using webhook filters, always anchor regex patterns (^pattern$)

  2. Secure GitHub Integration:

    • Generate unique, fine-grained Personal Access Tokens per project
    • Apply minimum required permissions (see AWS documentation)
    • Consider dedicated unprivileged GitHub accounts for CI integrations

  3. Monitor for Abuse:

    • Review build logs for unexpected PR-triggered builds
    • Audit CloudTrail logs for CodeBuild credential access
    • Implement alerts for repository permission changes

Broader CI/CD Security Principles:

  • Untrusted contributions should never trigger privileged pipelines
  • Reduce pipeline privileges to minimum required
  • Implement build isolation and sandboxing
  • Regular audit of CI/CD configurations

References: AWS CodeBuild Documentation, Wiz Threat Center

🛠️ Products & Services

Amazon Inspector Adds Java Gradle Support

Vendor: AWS | Product: Amazon Inspector | Type: Feature Enhancement

Amazon Inspector has expanded its software composition analysis (SCA) capabilities to include Java Gradle support, enabling automated vulnerability scanning for Gradle-based Java projects. This addition covers a significant gap, as Gradle has become the dominant build system for modern Java applications.

Key Features:

  • Automatic detection of Gradle dependencies in container images
  • Integration with existing Inspector vulnerability scanning workflows
  • Support for both Gradle wrapper and direct Gradle configurations

References: AWS Announcement

AWS Data Exports: Granular Bedrock Model Usage Visibility

Vendor: AWS | Product: AWS Data Exports | Type: Feature Enhancement

AWS Data Exports now provides granular operation-level visibility for Amazon Bedrock model usage, enabling organizations to track AI/ML costs and usage patterns at a detailed level. This is particularly valuable for organizations implementing AI governance and cost management frameworks.

Key Capabilities:

  • Track individual model invocation costs
  • Monitor usage patterns by operation type
  • Support for cost allocation and chargeback models

References: AWS Data Exports Documentation

💡 Security Professional Action Items

  1. Immediate: CodeBuild Users - Enable Pull Request Comment Approval and anchor all webhook regex patterns
  2. Immediate: Node.js Applications - Update all Node.js instances to patch async_hooks DoS vulnerability
  3. Immediate: Hono Framework - Upgrade to version 4.11.4 to address JWT algorithm confusion
  4. High Priority: Renovate Users - Update Renovate and audit configurations for command injection exposure
  5. High Priority: SAP Environments - Apply Security Note #3687749 for critical SQL injection (CVSS 9.9)
  6. This Week: Adobe Products - Apply ColdFusion updates immediately; schedule other Adobe patches
  7. This Week: Cosign Users - Update cosign and review verification configurations
  8. Audit: CI/CD Pipelines - Review all CI/CD configurations for untrusted PR handling
  9. Monitor: Supply Chain Tools - Evaluate security tool dependencies (GuardDog, Renovate, etc.)
  10. Planning: JWT Authentication - Audit JWT implementations for algorithm confusion vulnerabilities

📈 Threat Landscape Analysis

Today’s security news continues the dominant theme of 2026: supply chain and CI/CD infrastructure are the new frontline. The CodeBreach vulnerability disclosure exemplifies how subtle misconfigurations—literally two missing characters in a regex—can create attack paths of catastrophic scope. When the blast radius includes 66% of cloud environments and the AWS Console itself, we’re no longer discussing theoretical risks.

The convergence of AI tooling vulnerabilities (OpenCode, vLLM, orval MCP) with traditional infrastructure attacks suggests attackers are adapting their targeting to match industry’s AI adoption curve. As organizations rush to integrate AI-powered development tools, they’re expanding attack surfaces faster than security teams can assess them.

The Renovate command injection cluster (six vulnerabilities in one tool) demonstrates that even security-conscious practices like automated dependency updates introduce their own risks. The irony isn’t lost: the tool meant to keep dependencies secure becomes an attack vector.

Key Takeaway: The trust relationships in modern software development—from CI/CD systems to dependency managers to AI assistants—represent a complex web of potential compromise. Security teams must shift from endpoint-centric thinking to supply chain graph analysis, understanding that every tool in the development pipeline is both a trust anchor and a potential pivot point.

Comprehensive analysis from: Wiz Research, AdvisoryWeek, AWS Security Digest, GitHub Security Advisories, SAP, Adobe, Node.js Foundation, Microsoft MSRC

Issue #109 | January 20, 2026 | Coverage: 10 stories across 6 security segments 10 new stories | 1 update