CVE-2026-5707
OS Command Injection in AWS RES Virtual Desktop Session Name
Publication date: 2026-04-06
Last updated on: 2026-04-10
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | research_and_engineering_studio | to 2026.03 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves unsanitized input in an operating system command related to the handling of virtual desktop session names in AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01.
A remote authenticated attacker can exploit this flaw by crafting a malicious session name, which allows them to execute arbitrary commands with root privileges on the virtual desktop host.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows a remote authenticated user to execute arbitrary commands as root on the affected system.
- Complete compromise of the virtual desktop host.
- Potential unauthorized access to sensitive data and system resources.
- Disruption of services running on the virtual desktop host.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to upgrade AWS Research and Engineering Studio (RES) to version 2026.03.
Alternatively, users can apply the corresponding mitigation patch to their existing environment if upgrading is not immediately possible.