CVE-2026-5707

HIGH

Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

CVSS v3.1 Score

8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Complexity
LOW
Privileges
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Published: 4/6/2026Modified: 4/10/2026

Related Intelligence (1)

LOWVulnerability

Issues with AWS Research and Engineering Studio (RES)

<p><b>Bulletin ID:</b> 2026-014-AWS<br> <b>Scope:</b> AWS<br> <b>Content Type:</b> Important (requires attention)<br> <b>Publication Date:</b> 2026/04/06 14:00 PM PDT</p> <p><b>Description:</b></p> <p>Research and Engineering Studio (RES) on AWS is an open source, web portal design for administrators to create and manage secure cloud-based research and engineering environments. We have identified

CVE-2026-5707CVE-2026-5708
AWS Security Bulletins

References (3)

https://aws.amazon.com/security/security-bulletins/2026-014-aws/Vendor Advisoryhttps://github.com/aws/res/issues/151ExploitIssue Trackinghttps://github.com/aws/res/releases/tag/2026.03Release Notes