AWS Research and Engineering Studio Flaws Enable Root Command Execution and AWS Privilege Escalation
AWS disclosed two high-severity vulnerabilities in Research and Engineering Studio (RES) that affect releases from 2025.03 through versions prior to 2026.03. The first, CVE-2026-5707, is a CWE-78 command injection flaw in virtual desktop session name handling that could let a remote authenticated attacker execute arbitrary commands as root on a virtual desktop host by supplying a crafted session name. The issue carries a CVSS v3.1 rating of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting high impact across confidentiality, integrity, and availability.
AWS also disclosed CVE-2026-5708, a CWE-915 privilege-escalation flaw in the RES CreateSession API caused by improper control of user-modifiable attributes. An authenticated attacker could use a crafted API request to escalate privileges, assume the virtual desktop host instance profile permissions, and access AWS resources and services. AWS directed customers to upgrade to RES 2026.03 or apply the vendor mitigation patch, with details published through an AWS security bulletin, a GitHub issue, and the RES 2026.03 release notes.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
AWS discloses CVE-2026-5709 affecting RES cluster-manager instance
AWS security bulletin 2026-014-AWS disclosed a third severe RES vulnerability, CVE-2026-5709, an OS command injection flaw that could let an authenticated attacker compromise the cluster-manager EC2 instance. AWS said the issue was fixed in RES version 2026.03 and provided upgrade and manual mitigation guidance.
CVE-2026-5707 and CVE-2026-5708 are publicly disclosed
Public vulnerability records described two high-severity AWS RES flaws: CVE-2026-5707, a command injection issue, and CVE-2026-5708, a privilege-escalation issue. Both were published with high-impact CVSS 3.1 scores and remediation guidance pointing to RES 2026.03.
AWS releases RES 2026.03 and mitigation guidance for two high-severity flaws
AWS released RES version 2026.03 and advised customers to upgrade or apply the corresponding mitigation patch to address CVE-2026-5707 and CVE-2026-5708. The fixes were referenced in an AWS security bulletin, GitHub issue, and the RES 2026.03 release page.
AWS RES versions before 2026.03 contain CreateSession privilege-escalation flaw
AWS RES versions prior to 2026.03 contained a privilege-escalation issue later assigned CVE-2026-5708. The vulnerability allowed an authenticated remote attacker to manipulate CreateSession attributes to assume the virtual desktop host instance profile permissions and access AWS resources.
AWS RES versions 2025.03–2025.12.01 ship with command injection flaw
AWS Research and Engineering Studio (RES) versions 2025.03 through 2025.12.01 included a command injection vulnerability later assigned CVE-2026-5707. The flaw involved unsanitized virtual desktop session names in OS command handling, enabling authenticated remote code execution as root on the virtual desktop host.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Issues with AWS Research and Engineering Studio (RES)
aws.amazon.com
Open sourceAWS Patches Critical RCE and Escalate Privileges in Research and Engineering Studio
cybersecuritynews.com
Open sourceCVE-2026-5707 - Command Injection via Virtual Desktop Session Name in AWS Research and Engineering Studio (RES)
cvefeed.io
Open sourceCVE-2026-5708 - Improper Control of User-Modifiable Attributes in RES CreateSession API
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical AWS Ops Wheel Flaws Enable Admin Takeover via JWT Forgery and Cognito Abuse
AWS disclosed two severe vulnerabilities in **AWS Ops Wheel** that can let attackers seize administrative control of deployments and manipulate tenant data. **`CVE-2026-6911`** is an authentication bypass caused by missing JWT signature verification at the API Gateway endpoint, allowing unauthenticated attackers to forge tokens and gain unintended admin access. AWS said successful exploitation could let attackers read, modify, and delete application data across tenants and manage Cognito user accounts in the deployment's User Pool; the flaw is tracked as **`CWE-347`** and carries a critical **CVSS v3.1 `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`** rating. AWS also fixed **`CVE-2026-6912`**, a privilege-escalation issue in Ops Wheel's Cognito User Pool configuration that let authenticated users promote themselves to deployment administrator by setting the **`custom:deployment_admin`** attribute through the `UpdateUserAttributes` API. The bug, classified as **`CWE-915`**, exposed the same ability to manage Cognito user accounts and carried a high-severity **CVSS v3.1 `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`** score. AWS directed customers to redeploy from the updated repository and apply the fixes to any forked or derivative code, with patches referenced in an AWS security bulletin, a GitHub pull request, and a GitHub security advisory.
Jun 29, 2026
AWS discloses multiple flaws across SageMaker, Redshift, RabbitMQ, Braket, and WorkSpaces
AWS published a series of security bulletins covering vulnerabilities across several products and SDKs, including **model artifact integrity verification issues** in the Amazon SageMaker Python SDK (`CVE-2026-8596`, `CVE-2026-8597`), a **heap out-of-bounds read** in `coreMQTT` MQTT5 property parsing (`CVE-2026-8686`), and a **remote code execution** flaw in the `amazon-redshift-python-driver` (`CVE-2026-8838`). The company also disclosed an **arbitrary file read** issue in the `rabbitmq-aws` plugin (`CVE-2026-9133`), **tool execution without authorization via piped stdin** in Kiro CLI (`CVE-2026-9255`), and **insecure deserialization** in Amazon Braket SDK job results processing (`CVE-2026-9291`). A separate advisory addressed **improper authentication token handling** in the Amazon WorkSpaces client for Linux. Taken together, the disclosures span cloud development tools, messaging components, data platforms, quantum-computing SDKs, and end-user clients, indicating a broad patching requirement for organizations using AWS software. Security teams should identify affected packages and clients in their environments and prioritize remediation for flaws that could enable **remote code execution, unauthorized actions, file disclosure, or unsafe processing of untrusted data**.
Jun 30, 2026
AWS MCP Server Flaws Expose File Read and Remote Code Execution Risks
Researchers disclosed multiple security flaws affecting AWS MCP components, including a local file inclusion bug in the AWS Remote MCP Server and a critical command injection issue in `aws-mcp-server`. Varonis said authenticated users could abuse AWS CLI shorthand syntax, specifically the `@=` operator passed through the `aws___call_aws` tool, to read arbitrary files from the underlying host even when `FileAccessMode=NO_ACCESS` was enabled. AWS assigned **CVE-2026-4270** to the file access restriction bypass and said the issue was fixed in `aws-api-mcp-server` version **1.3.9**; the exposure affected the public endpoint `aws-mcp.us-east-1.api.aws` as well as self-hosted or forked deployments. A separate flaw, tracked as **CVE-2026-5058** and published by Trend Micro's Zero Day Initiative as **ZDI-26-246**, allows unauthenticated remote code execution in `aws-mcp-server` because user-supplied input in the allowed-commands list is not properly validated before being used in a system call. ZDI rated the bug **CVSS 9.8** and said successful exploitation lets attackers run arbitrary code in the MCP server context; the advisory was released as a 0-day after the vendor rejected the report. The disclosures landed alongside another AWS bulletin for **CVE-2026-4269**, an improper S3 ownership verification issue in the Bedrock AgentCore Starter Toolkit, underscoring broader security concerns around MCP-related tooling and the need for immediate patching and review of derivative implementations.
Jun 29, 2026