On April 7, 2026, Palo Alto Networks Unit 42 published research about a DNS exfiltration vector in AWS Bedrock AgentCore Code Interpreter. AWS had already shipped fixes during the responsible disclosure window that began in November 2025 - including documentation updates and MMDSv2 defaults from February 14, 2026. By the time the post went public, SANDBOX mode was tightened. But VPC mode without Route 53 Resolver DNS Firewall still leaks DNS (verified April 26, 2026). Most coverage of the disclosure described two network modes. The Code Interpreter API actually offers three: PUBLIC, SANDBOX, and VPC. They behave very differently. I spent six hours running every relevant AgentCore network mode through the same isolation tests in eu-central-1 (Frankfurt), with real Code Interpreter sessions, real Python code, and real DNS queries. The results don't match the simplified narrative most vendor blogs are repeating. SANDBOX has been quietly tightened. PUBLIC mode is wide open.…