CVE-2026-5708
Received Received - Intake
Privilege Escalation via Unsanitized Attributes in AWS RES Session Creation

Publication date: 2026-04-06

Last updated on: 2026-04-10

Assigner: AMZN

Description
Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5708
EUVD
EUVD-2026-19549
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
amazon research_and_engineering_studio to 2026.03 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the session creation component of AWS Research and Engineering Studio (RES) prior to version 2026.03. It involves unsanitized control of user-modifiable attributes, which means that an authenticated remote user can manipulate certain session attributes without proper validation.

By exploiting this flaw, the attacker can escalate their privileges, assume the permissions of the virtual desktop host instance profile, and interact with AWS resources and services through a specially crafted API request.

Impact Analysis

This vulnerability can have a significant impact by allowing an authenticated user to gain elevated privileges beyond their intended access.

  • Privilege escalation to assume virtual desktop host instance profile permissions.
  • Unauthorized interaction with AWS resources and services.

Such unauthorized access can lead to data exposure, modification, or disruption of services within the affected AWS environment.

Mitigation Strategies

To mitigate this vulnerability, users are advised to upgrade AWS Research and Engineering Studio (RES) to version 2026.03 or apply the corresponding mitigation patch to their existing environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart