Skip to main content

AWS JDBC Wrapper CVE-2026-14265

| EUVDEUVD-2026-41132 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-01 AMZN
7.7
CVSS 4.0 · Vendor: AMZN
Share

Severity by source

Vendor (AMZN) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Network-reachable cache read but requires attacker cache-write foothold plus a viable gadget chain, so AC:H and PR:L; full CIA impact within the app process yields C/I/A:H and S:U.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (AMZN).

CVSS VectorVendor: AMZN

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jul 01, 2026 - 20:28 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 01, 2026 - 20:27 vuln.today
Analysis Updated
Jul 01, 2026 - 20:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 01, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 01, 2026 - 20:22 NVD
7.5 (HIGH) 7.7 (HIGH)
Analysis Generated
Jul 01, 2026 - 20:16 vuln.today
CVE Published
Jul 01, 2026 - 19:34 cve.org
HIGH 7.5

DescriptionCVE.org

Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned.

We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.

AnalysisAI

Arbitrary code execution in Amazon's AWS Advanced JDBC Wrapper (versions 3.3.0 through 4.0.0) arises from the RemoteQueryCachePlugin deserializing cached query results from Redis or Valkey via a raw ObjectInputStream with no class filtering. An actor able to write to the shared cache can poison entries with a crafted serialized Java object, triggering gadget-chain execution on every application server that later reads that cache entry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain write access to shared Redis/Valkey cache
Delivery
Poison query-result key with serialized gadget object
Exploit
App server reads poisoned cache entry
Execution
ObjectInputStream deserializes without filtering
Impact
Gadget chain executes arbitrary code on app server

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target deployment uses the AWS Advanced JDBC Wrapper (3.3.0-4.0.0) with the RemoteQueryCachePlugin enabled and backed by a Redis or Valkey cache, and that the attacker has write access to that shared cache infrastructure (reflected as AT:P/PR:L in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H, base 7.7 High) is internally consistent with the description: network reachable, low complexity, but with an Attack Requirement (AT:P) and low privileges (PR:L) reflecting that the attacker must first obtain write access to the shared cache infrastructure and the deployment must actually enable the RemoteQueryCachePlugin backed by Redis/Valkey. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has gained write access to the shared Redis/Valkey instance (for example via an exposed or weakly-authenticated cache, or a compromised lower-trust service that shares the cache) stores a crafted serialized Java gadget-chain object under a query-result cache key. When any application server using the RemoteQueryCachePlugin next reads that key, ObjectInputStream deserializes the payload and executes attacker code in the application process. …
Remediation Vendor-released patch: upgrade to AWS Advanced JDBC Wrapper version 4.0.1 or later (release: https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/4.0.1), which is the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications using AWS Advanced JDBC Wrapper versions 3.3.0-4.0.0 and audit their Redis/Valkey cache access controls. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-14265 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy