Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable API needing an authenticated account (PR:L) and no user interaction; symlink read yields high confidentiality only, with no integrity or availability impact.
Primary rating from Vendor (AMZN).
CVSS VectorVendor: AMZN
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS.
Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets.
It's recommended to upgrade to RES version 2026.06.
AnalysisAI
Arbitrary file disclosure in AWS Research and Engineering Studio (RES) prior to version 2026.06 allows an authenticated remote user to read any file readable by root on the cluster-manager EC2 instance. The Auth.GetUserPrivateKey API follows a user-controlled symbolic link at ~/.ssh/id_rsa, and because the cluster-manager process runs as root, an attacker can exfiltrate other users' SSH private keys and application secrets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated RES account (PR:L) with the ability to write to one's own home directory and place a symlink at ~/.ssh/id_rsa on the cluster-manager EC2 instance, plus the ability to invoke the Auth.GetUserPrivateKey API remotely over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, base 7.1) describes a network-reachable, low-complexity attack requiring low privileges (an existing authenticated account) with no user interaction and high confidentiality impact but no integrity or availability impact - consistent with the description of an information-disclosure symlink read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a valid RES user account logs into their environment, replaces their own ~/.ssh/id_rsa with a symbolic link pointing to a sensitive root-owned file such as another user's private key or a service configuration secret, then invokes the Auth.GetUserPrivateKey API to retrieve the linked file's contents. Because the cluster-manager reads the target as root, the attacker receives data they were never authorized to see. … |
| Remediation | Vendor-released patch: RES 2026.06 - upgrade the cluster-manager and RES environment to version 2026.06 as the primary fix, per the release at https://github.com/aws/res/releases/tag/2026.06 and the advisory at https://aws.amazon.com/security/security-bulletins/2026-053-aws/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all RES clusters in use and their versions via AWS API or CloudTrail; review API logs for Auth.GetUserPrivateKey calls to detect suspicious activity; document current SSH keys and secrets stored on cluster-manager instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42056
GHSA-7xcj-pxq8-grgf