CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-14904

mediumCVSS 6.5covered by 2 sourcesfirst seen 2026-07-07
Bulletin ID: 2026-053-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/07/2026 09:45 AM PDT Description: AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS. We identified an improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets. Impacted versions: <=2026.03 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
An improper link resolution issue could allow an authenticated remote user to read arbitrary files.
Who is affected
Users of AWS Research and Engineering Studio with the affected version.
Urgency
Remediation is important due to the potential for sensitive data exposure.
Action
Update to a version greater than 2026.03.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-14904

Get an email if CVE-2026-14904 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-14904

CVE.org record

Embed the live status

CVE-2026-14904 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-14904 status](https://www.csirts.com/badge/CVE-2026-14904)](https://www.csirts.com/cve/CVE-2026-14904)