CVE-2026-5708

HIGH

Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

CVSS v3.1 Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Complexity

LOW

Privileges

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Published: 4/6/2026Modified: 4/10/2026

Related Intelligence (0)

No articles currently reference this CVE.

References (3)

https://aws.amazon.com/security/security-bulletins/2026-014-aws/Vendor Advisory https://github.com/aws/res/issues/149ExploitMitigation https://github.com/aws/res/releases/tag/2026.03Release Notes