Issues with AWS Research and Engineering Studio (RES)
Bulletin ID: 2026-014-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/06 14:00 PM PDT Description: Research and Engineering Studio (RES) on AWS is an open source, web portal design for administrators to create and manage secure cloud-based research and engineering environments. We have identified the following issues with the AWS Research and Engineering Studio (RES). CVE-2026-5707: Unsanitized input in an OS Command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. CVE-2026-5708: Improper control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) before version 2026.03 might allow an authenticated remote user to escalate privileges and assume the Virtual Desktop Host instance profile permissions and interact with other AWS resources and services via a crafted API request. CVE-2026-5709: Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. Impacted versions: <= 2025.12.01 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- Unsanitized input in OS command handling may allow a remote authenticated actor to execute arbitrary commands as root.
- Who is affected
- Remote authenticated users of AWS Research and Engineering Studio versions 2025.03 through 2025.12.01.
- Urgency
- Remediation is critical due to the potential for remote command execution.
- Action
- Update to a version of AWS Research and Engineering Studio that addresses these issues.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Research and Engineering Studio
Get an email when a new Research and Engineering Studio advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-014-aws/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-57070.99% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 58% of all scored CVEs.
- Low exploitation riskCVE-2026-57080.84% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 54% of all scored CVEs.
- Moderate exploitation riskCVE-2026-57091.1% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 61% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-5707 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-5708 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-5709 | coverage & exploitation status | NVD · CVE.org |
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01