CVE-2026-5707
Received Received - Intake
OS Command Injection in AWS RES Virtual Desktop Session Name

Publication date: 2026-04-06

Last updated on: 2026-04-10

Assigner: AMZN

Description
Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5707
EUVD
EUVD-2026-19548
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
amazon research_and_engineering_studio to 2026.03 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves unsanitized input in an operating system command related to the handling of virtual desktop session names in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01.

A remote authenticated attacker can exploit this flaw by crafting a malicious session name, which allows them to execute arbitrary commands with root privileges on the virtual desktop host.

Impact Analysis

This vulnerability can have severe impacts as it allows a remote authenticated user to execute arbitrary commands as root on the affected system.

  • Complete compromise of the virtual desktop host.
  • Potential unauthorized access to sensitive data and system resources.
  • Disruption of services running on the virtual desktop host.
Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade AWS Research and Engineering Studio (RES) to version 2026.03.

Alternatively, users can apply the corresponding mitigation patch to their existing environment if upgrading is not immediately possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5707. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart