CVE-2026-14265

Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned. We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.
Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:advanced_jdbc_wrapper:*:*:*:*:*:*:*:*

History

09 Jul 2026, 18:05

Type Values Removed Values Added
CPE cpe:2.3:a:amazon:advanced_jdbc_wrapper:*:*:*:*:*:*:*:*
References () https://aws.amazon.com/security/security-bulletins/2026-051-aws/ - () https://aws.amazon.com/security/security-bulletins/2026-051-aws/ - Release Notes, Vendor Advisory, Mitigation
References () https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/4.0.1 - () https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/4.0.1 - Release Notes
References () https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-c5q4-97jw-jggh - () https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-c5q4-97jw-jggh - Vendor Advisory, Mitigation
First Time Amazon
Amazon advanced Jdbc Wrapper

01 Jul 2026, 20:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-01 20:17

Updated : 2026-07-09 18:05


NVD link : CVE-2026-14265

Mitre link : CVE-2026-14265

CVE.ORG link : CVE-2026-14265


JSON object : View

Products Affected

amazon

  • advanced_jdbc_wrapper
CWE
CWE-502

Deserialization of Untrusted Data