CVE-2026-5709

HighPublic PoC

Published: 06 April 2026

Published

06 April 2026

Modified

10 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality.…

To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses unsanitized input in the FileBrowser API by requiring validation mechanisms at input points to block command injection payloads.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, correction, and verification of flaws like this OS command injection vulnerability through patching or upgrades to RES version 2026.03.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on inputs to the FileBrowser API interfaces, preventing crafted malicious inputs that enable arbitrary command execution on the EC2 instance.

Security SummaryAI

CVE-2026-5709 involves unsanitized input in the FileBrowser API within AWS Research and Engineering Studio (RES), affecting versions 2024.10 through 2025.12.01. This vulnerability, published on 2026-04-06T22:16:25.627 and classified under CWE-78 (OS Command Injection), enables a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance through crafted input during FileBrowser usage. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.

A remote authenticated user, such as one with legitimate access to the RES environment, can exploit this vulnerability by submitting malicious input via the FileBrowser API. Successful exploitation allows arbitrary command execution directly on the underlying cluster-manager EC2 instance, potentially leading to full compromise of the host, data exfiltration, or further lateral movement within the AWS environment.

AWS security bulletin 2026-014 recommends upgrading to RES version 2026.03 or applying the corresponding mitigation patch to affected environments. Additional details are available in the related GitHub issue at aws/res#150 and the release notes for tag 2026.03.

Details

CWE(s): CWE-78

Affected Products

amazon

research and engineering studio

≤ 2026.03

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of FileBrowser API (public-facing web service) via OS command injection (CWE-78), facilitating arbitrary Unix shell execution on the EC2 host as a remote service exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://aws.amazon.com/security/security-bulletins/2026-014-aws/
Vendor Advisory · ff89ba41-3aa1-4d27-914a-91399e9639e5
https://github.com/aws/res/issues/150
Exploit, Issue Tracking · ff89ba41-3aa1-4d27-914a-91399e9639e5
https://github.com/aws/res/releases/tag/2026.03
Release Notes · ff89ba41-3aa1-4d27-914a-91399e9639e5