CVE-2026-5707
Bulletin ID: 2026-014-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/06 14:00 PM PDT Description: Research and Engineering Studio (RES) on AWS is an open source, web portal design for administrators to create and manage secure cloud-based research and engineering environments. We have identified the following issues with the AWS Research and Engineering Studio (RES). CVE-2026-5707: Unsanitized input in an OS Command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. CVE-2026-5708: Improper control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) before version 2026.03 might allow an authenticated remote user to escalate privileges and assume the Virtual Desktop Host instance profile permissions and interact with other AWS resources and services via a crafted API request. CVE-2026-5709: Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. Impacted versions: <= 2025.12.01 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- Unsanitized input in OS command handling may allow a remote authenticated actor to execute arbitrary commands as root.
- Who is affected
- Remote authenticated users of AWS Research and Engineering Studio versions 2025.03 through 2025.12.01.
- Urgency
- Remediation is critical due to the potential for remote command execution.
- Action
- Update to a version of AWS Research and Engineering Studio that addresses these issues.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-5707
Get an email if CVE-2026-5707 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.99% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 58% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownIssues with AWS Research and Engineering Studio (RES)aws · 2026-06-05
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-5707)