Skip to main content

Res

1 CVEs product

Monthly

CVE-2026-14904 HIGH This Week

Arbitrary file disclosure in AWS Research and Engineering Studio (RES) prior to version 2026.06 allows an authenticated remote user to read any file readable by root on the cluster-manager EC2 instance. The Auth.GetUserPrivateKey API follows a user-controlled symbolic link at ~/.ssh/id_rsa, and because the cluster-manager process runs as root, an attacker can exfiltrate other users' SSH private keys and application secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Res
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.4%
EPSS 0% CVSS 7.1
HIGH This Week

Arbitrary file disclosure in AWS Research and Engineering Studio (RES) prior to version 2026.06 allows an authenticated remote user to read any file readable by root on the cluster-manager EC2 instance. The Auth.GetUserPrivateKey API follows a user-controlled symbolic link at ~/.ssh/id_rsa, and because the cluster-manager process runs as root, an attacker can exfiltrate other users' SSH private keys and application secrets. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Information Disclosure Res
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy