Skip to main content

Research And Engineering Studio Res CVE-2026-5709

| EUVDEUVD-2026-19550 HIGH
OS Command Injection (CWE-78)
2026-04-06 AMZN GHSA-6vq3-2fhj-j6wx
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 06, 2026 - 21:46 euvd
EUVD-2026-19550
Analysis Generated
Apr 06, 2026 - 21:46 vuln.today
Patch released
Apr 06, 2026 - 21:46 nvd
Patch available
CVE Published
Apr 06, 2026 - 21:32 nvd
HIGH 7.7

DescriptionCVE.org

Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality.

To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

AnalysisAI

Remote command injection in AWS Research and Engineering Studio (RES) 2024.10 through 2025.12.01 allows authenticated users to execute arbitrary commands on cluster-manager EC2 instances through unsanitized input in the FileBrowser API. Vendor-released patch available (version 2026.03). No public exploit identified at time of analysis, though CVSS 7.7 reflects high impact if exploited by low-privileged authenticated users with network access.

Technical ContextAI

This vulnerability stems from CWE-78 (OS Command Injection) in the FileBrowser API component of AWS Research and Engineering Studio, a platform for managing high-performance computing environments. The affected component fails to properly sanitize user-supplied input before passing it to system command execution contexts on the cluster-manager EC2 instance. Given the CVSS vector indicators (AV:N for network attack vector, AC:L for low attack complexity, PR:L for low privileges required), an authenticated user with standard access to the RES FileBrowser interface can craft malicious input that breaks out of intended command parameters and executes arbitrary operating system commands with the privileges of the cluster-manager process. The CPE string identifies the affected product as aws:research_and_engineering_studio_(res) across the version range specified in the description.

RemediationAI

Primary remediation is upgrading to AWS Research and Engineering Studio version 2026.03 or later, which contains the complete fix for this command injection vulnerability. The patched release is available at https://github.com/aws/res/releases/tag/2026.03. For environments unable to immediately upgrade, AWS provides a corresponding mitigation patch that can be applied to existing affected versions (details available through GitHub issue https://github.com/aws/res/issues/150 and the vendor security bulletin). Organizations should prioritize patching cluster-manager instances and review FileBrowser API access logs for suspicious input patterns during the vulnerability window. As defense-in-depth measures, consider restricting FileBrowser functionality to trusted users only and implementing network segmentation to limit cluster-manager instance exposure until patches are applied.

Share

CVE-2026-5709 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy