CVE-2026-5707
Received Received - Intake

OS Command Injection in AWS RES Virtual Desktop Session Name

Vulnerability report for CVE-2026-5707, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-06

Last updated on: 2026-04-10

Assigner: AMZN

Description

Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-06
Last Modified
2026-04-10
Generated
2026-07-06
AI Q&A
2026-04-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
amazon research_and_engineering_studio to 2026.03 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves unsanitized input in an operating system command related to the handling of virtual desktop session names in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01.

A remote authenticated attacker can exploit this flaw by crafting a malicious session name, which allows them to execute arbitrary commands with root privileges on the virtual desktop host.

Impact Analysis

This vulnerability can have severe impacts as it allows a remote authenticated user to execute arbitrary commands as root on the affected system.

  • Complete compromise of the virtual desktop host.
  • Potential unauthorized access to sensitive data and system resources.
  • Disruption of services running on the virtual desktop host.
Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade AWS Research and Engineering Studio (RES) to version 2026.03.

Alternatively, users can apply the corresponding mitigation patch to their existing environment if upgrading is not immediately possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5707. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart