Skip to main content

AWS RES CVE-2026-14904

| EUVDEUVD-2026-42056 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-07-07 AMZN GHSA-7xcj-pxq8-grgf
7.1
CVSS 4.0 · Vendor: AMZN
Share

Severity by source

Vendor (AMZN) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable API needing an authenticated account (PR:L) and no user interaction; symlink read yields high confidentiality only, with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (AMZN).

CVSS VectorVendor: AMZN

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 17:20 vuln.today

DescriptionCVE.org

AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS.

Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets.

It's recommended to upgrade to RES version 2026.06.

AnalysisAI

Arbitrary file disclosure in AWS Research and Engineering Studio (RES) prior to version 2026.06 allows an authenticated remote user to read any file readable by root on the cluster-manager EC2 instance. The Auth.GetUserPrivateKey API follows a user-controlled symbolic link at ~/.ssh/id_rsa, and because the cluster-manager process runs as root, an attacker can exfiltrate other users' SSH private keys and application secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with valid RES account
Delivery
Replace ~/.ssh/id_rsa with malicious symlink
Exploit
Point symlink at root-readable target file
Execution
Invoke Auth.GetUserPrivateKey API
Persist
Cluster-manager reads file as root
Impact
Exfiltrate other users' keys and secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated RES account (PR:L) with the ability to write to one's own home directory and place a symlink at ~/.ssh/id_rsa on the cluster-manager EC2 instance, plus the ability to invoke the Auth.GetUserPrivateKey API remotely over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) describes a network-reachable, low-complexity attack requiring low privileges (an existing authenticated account) with no user interaction and high confidentiality impact but no integrity or availability impact - consistent with the description of an information-disclosure symlink read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a valid RES user account logs into their environment, replaces their own ~/.ssh/id_rsa with a symbolic link pointing to a sensitive root-owned file such as another user's private key or a service configuration secret, then invokes the Auth.GetUserPrivateKey API to retrieve the linked file's contents. Because the cluster-manager reads the target as root, the attacker receives data they were never authorized to see. …
Remediation Vendor-released patch: RES 2026.06 - upgrade the cluster-manager and RES environment to version 2026.06 as the primary fix, per the release at https://github.com/aws/res/releases/tag/2026.06 and the advisory at https://aws.amazon.com/security/security-bulletins/2026-053-aws/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all RES clusters in use and their versions via AWS API or CloudTrail; review API logs for Auth.GetUserPrivateKey calls to detect suspicious activity; document current SSH keys and secrets stored on cluster-manager instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy