CVE-2026-5708
Privilege Escalation via Unsanitized Attributes in AWS RES Session Creation
Publication date: 2026-04-06
Last updated on: 2026-04-10
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | research_and_engineering_studio | to 2026.03 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the session creation component of AWS Research and Engineering Studio (RES) prior to version 2026.03. It involves unsanitized control of user-modifiable attributes, which means that an authenticated remote user can manipulate certain session attributes without proper validation.
By exploiting this flaw, the attacker can escalate their privileges, assume the permissions of the virtual desktop host instance profile, and interact with AWS resources and services through a specially crafted API request.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing an authenticated user to gain elevated privileges beyond their intended access.
- Privilege escalation to assume virtual desktop host instance profile permissions.
- Unauthorized interaction with AWS resources and services.
Such unauthorized access can lead to data exposure, modification, or disruption of services within the affected AWS environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to upgrade AWS Research and Engineering Studio (RES) to version 2026.03 or apply the corresponding mitigation patch to their existing environment.