Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.
To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
AnalysisAI
Privilege escalation in AWS Research and Engineering Studio (RES) versions prior to 2026.03 allows authenticated remote attackers to assume virtual desktop host instance profile permissions and interact with AWS resources via crafted API requests. The vulnerability stems from unsanitized user-modifiable attributes in session creation. CVSS 8.7 (High) with network attack vector, low complexity, and requiring low privileges. Vendor-released patch available (version 2026.03). EPSS data not provided; no public exploit identified at time of analysis.
Technical ContextAI
AWS Research and Engineering Studio (RES) is a cloud-based platform for deploying virtual desktop infrastructure and high-performance computing environments. This vulnerability maps to CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), commonly known as prototype pollution or mass assignment. The session creation component fails to sanitize or validate user-controlled attributes before processing API requests, allowing attackers to inject or modify object properties that should be restricted. In AWS environments, this enables attackers to manipulate session attributes to assume IAM instance profile permissions associated with virtual desktop hosts, effectively inheriting the cloud identity and permissions of the underlying EC2 instances. The affected product is identified as cpe:2.3:a:aws:research_and_engineering_studio_(res):*:*:*:*:*:*:*:*, covering all versions prior to the patched 2026.03 release.
RemediationAI
Vendor-released patch: Upgrade to AWS Research and Engineering Studio (RES) version 2026.03 or later, available at https://github.com/aws/res/releases/tag/2026.03. The vendor advisory at https://aws.amazon.com/security/security-bulletins/2026-014-aws/ provides official remediation guidance and notes that a corresponding mitigation patch can be applied to existing environments if immediate upgrade is not feasible. Organizations should review the GitHub issue discussion at https://github.com/aws/res/issues/149 for technical implementation details. After patching, administrators should audit existing RES sessions and review CloudTrail logs for suspicious API activity or unexpected IAM role assumptions that may indicate prior exploitation. Validate that session creation API requests properly sanitize user-controlled attributes post-upgrade. No interim workarounds are specified, making version upgrade the primary remediation path.
Remote code execution as root in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01 allows au
Remote command injection in AWS Research and Engineering Studio (RES) 2024.10 through 2025.12.01 allows authenticated us
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19549
GHSA-fpff-pjfw-gfg7