Skip to main content

Research And Engineering Studio Res CVE-2026-5708

| EUVDEUVD-2026-19549 HIGH
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-04-06 AMZN GHSA-fpff-pjfw-gfg7
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 06, 2026 - 21:46 euvd
EUVD-2026-19549
Analysis Generated
Apr 06, 2026 - 21:46 vuln.today
Patch released
Apr 06, 2026 - 21:46 nvd
Patch available
CVE Published
Apr 06, 2026 - 21:28 nvd
HIGH 8.7

DescriptionCVE.org

Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.

To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

AnalysisAI

Privilege escalation in AWS Research and Engineering Studio (RES) versions prior to 2026.03 allows authenticated remote attackers to assume virtual desktop host instance profile permissions and interact with AWS resources via crafted API requests. The vulnerability stems from unsanitized user-modifiable attributes in session creation. CVSS 8.7 (High) with network attack vector, low complexity, and requiring low privileges. Vendor-released patch available (version 2026.03). EPSS data not provided; no public exploit identified at time of analysis.

Technical ContextAI

AWS Research and Engineering Studio (RES) is a cloud-based platform for deploying virtual desktop infrastructure and high-performance computing environments. This vulnerability maps to CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), commonly known as prototype pollution or mass assignment. The session creation component fails to sanitize or validate user-controlled attributes before processing API requests, allowing attackers to inject or modify object properties that should be restricted. In AWS environments, this enables attackers to manipulate session attributes to assume IAM instance profile permissions associated with virtual desktop hosts, effectively inheriting the cloud identity and permissions of the underlying EC2 instances. The affected product is identified as cpe:2.3:a:aws:research_and_engineering_studio_(res):*:*:*:*:*:*:*:*, covering all versions prior to the patched 2026.03 release.

RemediationAI

Vendor-released patch: Upgrade to AWS Research and Engineering Studio (RES) version 2026.03 or later, available at https://github.com/aws/res/releases/tag/2026.03. The vendor advisory at https://aws.amazon.com/security/security-bulletins/2026-014-aws/ provides official remediation guidance and notes that a corresponding mitigation patch can be applied to existing environments if immediate upgrade is not feasible. Organizations should review the GitHub issue discussion at https://github.com/aws/res/issues/149 for technical implementation details. After patching, administrators should audit existing RES sessions and review CloudTrail logs for suspicious API activity or unexpected IAM role assumptions that may indicate prior exploitation. Validate that session creation API requests properly sanitize user-controlled attributes post-upgrade. No interim workarounds are specified, making version upgrade the primary remediation path.

Share

CVE-2026-5708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy