CVE-2026-14904
Received Received - Intake

Symlink File Read Vulnerability in AWS Research and Engineering Studio

Vulnerability report for CVE-2026-14904, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: AMZN

Description

AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets. It's recommended to upgrade to RES version 2026.06.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
aws research_and_engineering_studio to 2026.03 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14904 is an improper link resolution vulnerability (CWE-59) in the Auth.GetUserPrivateKey API of AWS Research and Engineering Studio (RES).

An authenticated remote user can exploit this flaw by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link that points to any file on the cluster-manager EC2 instance.

Because the cluster-manager process runs with root privileges, this allows the attacker to read arbitrary files on the host, including sensitive files such as other users' SSH private keys and application configuration secrets.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information on the cluster-manager EC2 instance.

  • An attacker with authenticated access can read arbitrary files, potentially exposing other users' SSH private keys.
  • Application configuration secrets stored on the host may also be exposed.

Such exposure can compromise the security of the system and other users, potentially leading to further attacks or data breaches.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to upgrade AWS Research and Engineering Studio (RES) to version 2026.06 or later, where the issue has been fixed.

For users who cannot upgrade immediately, patch scripts are available for the past three major versions, with detailed instructions provided on the RES GitHub wiki.

Compliance Impact

The vulnerability allows an authenticated remote user to read arbitrary files on the cluster-manager EC2 instance, including sensitive files such as other users' SSH private keys and application configuration secrets. This exposure of sensitive data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Because the cluster-manager process runs as root, the impact is significant in terms of confidentiality, which is a core requirement in many compliance frameworks. Organizations using AWS Research and Engineering Studio (RES) should upgrade to version 2026.06 or apply available patches to mitigate this risk and maintain compliance.

Detection Guidance

This vulnerability involves an authenticated user replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link pointing to arbitrary files on the cluster-manager EC2 instance. Detection involves checking for unexpected symbolic links in the SSH private key location and monitoring for unauthorized file access attempts by the cluster-manager process running as root.

Suggested commands to detect potential exploitation or presence of this vulnerability include:

  • Check if the SSH private key file is a symbolic link: ls -l ~/.ssh/id_rsa
  • Find all symbolic links in users' .ssh directories that could be exploited: find /home -type l -path '*/.ssh/id_rsa'
  • Audit recent file access by the cluster-manager process (running as root) using system audit tools like auditd or by checking logs for suspicious reads.
  • Monitor for unusual file read operations or symbolic link creations in the cluster-manager environment.

Upgrading to RES version 2026.06 or later is recommended to remediate this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14904. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart