CVE-2026-5708

HIGH

Improper Control of User-Modifiable Attributes in RES CreateSession API

Title source: cna

Description

Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

References (3)

[Release Notes] https://github.com/aws/res/releases/tag/2026.03

[Patch] https://github.com/aws/res/issues/149

[Vendor Advisory] https://aws.amazon.com/security/security-bulletins/2026-014-aws/

Scores

CVSS v3 8.8

EPSS 0.0006

EPSS Percentile 18.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-915

Status published

Products (2)

amazon/research_and_engineering_studio < 2026.03

AWS/Research and Engineering Studio (RES) 2023.11 - 2025.12.01

Published Apr 06, 2026

Tracked Since Apr 07, 2026