Skip to main content

AWS Advanced JDBC Wrapper CVE-2026-11400

| EUVD-2026-34900 HIGH
Untrusted Search Path (CWE-426)
2026-06-05 AMZN
Privilege Escalation PostgreSQL
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 05, 2026 - 20:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 05, 2026 - 20:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 05, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jun 05, 2026 - 20:22 NVD
8.0 (HIGH) 8.6 (HIGH)
Source Code Evidence Fetched
Jun 05, 2026 - 19:51 vuln.today
Analysis Generated
Jun 05, 2026 - 19:51 vuln.today

DescriptionCVE.org

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through an affected wrapper.

To remediate this issue, users should upgrade to AWS Advanced JDBC Wrapper version 4.0.1.

AnalysisAI

Privilege escalation in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL (versions prior to 4.0.1) allows a remote authenticated low-privilege RDS user to gain the privileges of another database user - including rds_superuser - by planting a crafted function that executes when the higher-privileged user connects to the cluster through the affected wrapper. No public exploit identified at time of analysis, and the vendor (Amazon) released a fix in version 4.0.1 on 2026-05-13 that fully qualifies function calls in PostgreSQL topology detection queries to close the search-path attack surface.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-priv RDS user
Delivery
Create malicious function in public schema
Exploit
Wait for rds_superuser to connect via wrapper
Execution
GlobalDatabasePlugin runs unqualified topology query
Persist
Attacker function executes as superuser
Impact
Escalate to full database control
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must hold valid low-privilege credentials on the target Amazon Aurora PostgreSQL cluster and possess CREATE permission on a schema that appears earlier in the target user's search_path than the schema of the legitimate function (typically the default public schema). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 8.6 (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H) reflects a network-reachable, low-complexity attack that requires only low-privilege authentication but does depend on passive user interaction (UI:P) - namely, a higher-privileged RDS user subsequently connecting through the affected wrapper, which the attacker cannot directly force. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged tenant on a shared Aurora PostgreSQL cluster creates a malicious function in the public schema whose unqualified name matches a function the GlobalDatabasePlugin invokes during topology detection. When a DBA or automation account with rds_superuser later connects to the cluster through an unpatched AWS Advanced JDBC Wrapper, the wrapper's unqualified query resolves to the attacker's function and executes it under the superuser's session, granting the attacker full database control. …
Remediation Vendor-released patch: upgrade to AWS Advanced JDBC Wrapper version 4.0.1 or later (https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/4.0.1), which fully qualifies function calls in the PostgreSQL topology detection queries used by the GlobalDatabasePlugin per the 2026-05-13 release notes; see the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-039-aws/ for guidance. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all systems using AWS Advanced JDBC Wrapper versions prior to 4.0.1 and assess production exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49948 HIGH POC
8.6 Jun 09

Authorization bypass in Mem0 self-hosted server versions through 0.2.8 allows any authenticated holder of a distributed

CVE-2026-20253 CRITICAL
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
CVE-2026-48031 CRITICAL
9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a
CVE-2026-49498 HIGH
8.7 Jun 10

SQL injection in Ghidra's PostgreSQL collaboration backend (versions 11.0 through pre-12.1) allows authenticated users t
CVE-2026-52758 HIGH
8.7 Jun 10

SQL injection in Ghidra's BSim binary-similarity component (versions before 12.1) allows authenticated remote attackers

Share

CVE-2026-11400 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy