CVE-2026-11401

HIGH

Privilege Escalation in AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL

Title source: cna

Description

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper. To remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26

References (3)

Core 3

Core References

Patch patch

https://github.com/aws/aws-advanced-go-wrapper/releases/tag/release-2026-05-26

Vendor Advisory vendor-advisory

https://aws.amazon.com/security/security-bulletins/2026-039-aws/

Third Party Advisory third-party-advisory

https://github.com/aws/aws-advanced-go-wrapper/security/advisories/GHSA-r236-5pc3-3qcp

Scores

CVSS v3 8.0

EPSS 0.0031

EPSS Percentile 21.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-426

Status published

Products (7)

AWS/AWS Advanced Go Wrapper 2026-04-06 - 2026-05-26

aws/aws-advanced-go-wrapper 0 - 1.0.4Go

aws/aws-advanced-go-wrapper 0 - 1.0.7Go

aws/aws-advanced-go-wrapper 0 - 1.07Go

aws/aws-advanced-go-wrapper 0 - 1.1.1 (6 CPE variants)Go

aws/aws-advanced-go-wrapper 0 - 1.1.2Go

aws/aws-advanced-go-wrapper 0 - 2.0.1Go

Published Jun 05, 2026

Tracked Since Jun 06, 2026