CVE-2026-5709

Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/2026-014-aws/	Vendor Advisory
https://github.com/aws/res/issues/150	Exploit Issue Tracking
https://github.com/aws/res/releases/tag/2026.03	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:amazon:research_and_engineering_studio:*:*:*:*:*:*:*:*

History

10 Apr 2026, 20:03

Type	Values Removed	Values Added
CPE		cpe:2.3:a:amazon:research_and_engineering_studio::::::::
First Time		Amazon research And Engineering Studio Amazon
References	~~() https://aws.amazon.com/security/security-bulletins/2026-014-aws/ -~~	() https://aws.amazon.com/security/security-bulletins/2026-014-aws/ - Vendor Advisory
References	~~() https://github.com/aws/res/issues/150 -~~	() https://github.com/aws/res/issues/150 - Exploit, Issue Tracking
References	~~() https://github.com/aws/res/releases/tag/2026.03 -~~	() https://github.com/aws/res/releases/tag/2026.03 - Release Notes

06 Apr 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-06 22:16

Updated : 2026-04-10 20:03

NVD link : CVE-2026-5709

Mitre link : CVE-2026-5709

CVE.ORG link : CVE-2026-5709

JSON object : View

Products Affected

amazon

research_and_engineering_studio

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-5709", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-06T22:16:25.627", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-014-aws/", "tags": ["Vendor Advisory"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/res/issues/150", "tags": ["Exploit", "Issue Tracking"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/res/releases/tag/2026.03", "tags": ["Release Notes"], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality.\n\nTo remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment."}], "lastModified": "2026-04-10T20:03:29.473", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:amazon:research_and_engineering_studio:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37A2F72E-0B0A-4D66-94DA-E0D9D336E9E1", "versionEndExcluding": "2026.03"}], "operator": "OR"}]}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}