CVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio
Bulletin ID: 2026-053-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/07/2026 09:45 AM PDT Description: AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. We identified an improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets. Impacted versions: <=2026.03 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- An improper link resolution issue could allow an authenticated remote user to read arbitrary files.
- Who is affected
- Users of AWS Research and Engineering Studio with the affected version.
- Urgency
- Remediation is important due to the potential for sensitive data exposure.
- Action
- Update to a version greater than 2026.03.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch AWS Research and Engineering Studio
Get an email when a new AWS Research and Engineering Studio advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-053-aws/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-149040.38% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 30% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-14904 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for - Improper Link
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-3552: The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data mo…nvd · 2026-07-11
- highGHSA-qcq2-496w-v96p: Mistune: Potential DoS via quadratic-time parsing in parse_link_textghsa · 2026-07-09
- unknownCVE-2026-57501: Zen is a firefox-based browser. Prior to 1.21.5b, Zen's glance and split-view context-menu act…nvd · 2026-07-09
- unknownCVE-2026-55424: Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 20…nvd · 2026-07-09
- highCVE-2026-15270: A weakness has been identified in D-link DIR-823G 1.0.2B05_20181207. Affected by this vulnerab…nvd · 2026-07-09
- unknownCVE-2026-49276: Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using…nvd · 2026-07-09
More from AWS Security Bulletins
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01
- unknownCVE-2026-13762 and CVE-2026-13763 - Issue with HTTP/2 multi-frame request body inspection in AWS WAF2026-06-29