CVE-2026-14265
Received Received - Intake

Deserialization Flaw in AWS Advanced JDBC Wrapper

Vulnerability report for CVE-2026-14265, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: AMZN

Description

Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned. We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
amazon web_services_aws_advanced_jdbc_wrapper From 3.3.0 (inc) to 4.0.0 (inc)
amazon web_services_aws_advanced_jdbc_wrapper 4.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14265 is a vulnerability in the AWS Advanced JDBC Wrapper, specifically in the RemoteQueryCachePlugin. It involves the unsafe deserialization of untrusted data from a shared cache (Redis or Valkey) without proper class filtering. An attacker who has write access to this shared cache can inject a malicious serialized Java object. When the application server reads and deserializes this poisoned cache entry, it can lead to arbitrary code execution on the server.

Detection Guidance

This vulnerability involves unsafe deserialization in the RemoteQueryCachePlugin of AWS Advanced JDBC Wrapper versions 3.3.0 through 4.0.0. Detection would focus on identifying the presence and usage of these vulnerable versions and monitoring for suspicious serialized Java objects in the shared Redis or Valkey cache.

Since the vulnerability arises from deserialization of untrusted data from Redis or Valkey caches, you can check for the presence of the vulnerable AWS Advanced JDBC Wrapper versions in your environment by inspecting application dependencies or runtime versions.

Additionally, monitoring write access to the Redis or Valkey cache for unusual or unauthorized activity can help detect attempts to exploit this vulnerability.

Specific commands to detect vulnerable versions or suspicious activity are not provided in the available resources.

Impact Analysis

This vulnerability can allow an attacker with write access to the shared cache infrastructure to execute arbitrary code on your application servers. This means the attacker could potentially take control of the server, access sensitive data, disrupt services, or perform other malicious actions. The impact includes high risks to confidentiality, integrity, and availability of your systems.

Mitigation Strategies

To mitigate the vulnerability in the AWS Advanced JDBC Wrapper RemoteQueryCachePlugin, you should upgrade to version 4.0.1 or later, which includes fixes to prevent unsafe Java deserialization.

As a temporary workaround, you can disable the RemoteQueryCachePlugin to prevent deserialization of untrusted data.

Additionally, restrict write access to the shared Redis or Valkey cache infrastructure to trusted users only, to prevent attackers from injecting malicious serialized Java objects.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart