CVE-2026-5709
Command Injection in AWS RES FileBrowser Allows Remote Code Execution
Publication date: 2026-04-06
Last updated on: 2026-04-10
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | research_and_engineering_studio | to 2026.03 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves unsanitized input in the FileBrowser API of AWS Research and Engineering Studio (RES) versions 2024.10 through 2025.12.01. It allows a remote authenticated user to execute arbitrary commands on the cluster-manager EC2 instance by sending specially crafted input through the FileBrowser functionality.
How can this vulnerability impact me? :
The vulnerability can lead to remote command execution on the cluster-manager EC2 instance, which means an attacker with authentication could potentially take control of the affected system, manipulate data, disrupt services, or further compromise the environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to upgrade AWS Research and Engineering Studio (RES) to version 2026.03 or apply the corresponding mitigation patch to their existing environment.