CVE-2026-5708
Published: 06 April 2026
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2026-5708 affects the session creation component in AWS Research and Engineering Studio (RES) versions prior to 2026.03, stemming from unsanitized control of user-modifiable attributes (CWE-915). This vulnerability enables improper validation of user inputs during session creation, potentially leading to unauthorized privilege modifications. Published on 2026-04-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated remote user with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N) by sending a crafted API request. Exploitation allows the attacker to escalate privileges, assume the permissions of the virtual desktop host instance profile, and interact with AWS resources and services.
AWS advisories recommend upgrading to RES version 2026.03 or applying the corresponding mitigation patch to existing environments. Details are available in the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-014-aws/, the related GitHub issue at https://github.com/aws/res/issues/149, and the release page at https://github.com/aws/res/releases/tag/2026.03.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables low-privilege authenticated users to escalate privileges via crafted API requests exploiting improper input validation in AWS RES session creation, directly facilitating T1068 (Exploitation for Privilege Escalation) and T1210 (Exploitation of Remote Services).