{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5708", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "state": "PUBLISHED", "assignerShortName": "AMZN", "dateReserved": "2026-04-06T16:11:19.068Z", "datePublished": "2026-04-06T21:28:03.951Z", "dateUpdated": "2026-04-07T15:09:25.916Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-04-06T21:36:45.719Z"}, "title": "Improper Control of User-Modifiable Attributes in RES CreateSession API", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-915", "description": "CWE-915 Improperly controlled modification of Dynamically-Determined object attributes", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "affected": [{"vendor": "AWS", "product": "Research and Engineering Studio (RES)", "versions": [{"status": "affected", "version": "2023.11", "lessThanOrEqual": "2025.12.01", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.\n\nTo remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) <span>prior to version 2026.03</span> could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.</p><p>To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.</p>"}]}], "references": [{"url": "https://github.com/aws/res/releases/tag/2026.03", "tags": ["release-notes"]}, {"url": "https://github.com/aws/res/issues/149", "tags": ["patch"]}, {"url": "https://aws.amazon.com/security/security-bulletins/2026-014-aws/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:48:44.580621Z", "id": "CVE-2026-5708", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T15:09:25.916Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5708", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T14:48:44.580621Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:48:49.211Z"}}], "cna": {"title": "Improper Control of User-Modifiable Attributes in RES CreateSession API", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AWS", "product": "Research and Engineering Studio (RES)", "versions": [{"status": "affected", "version": "2023.11", "versionType": "custom", "lessThanOrEqual": "2025.12.01"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/aws/res/releases/tag/2026.03", "tags": ["release-notes"]}, {"url": "https://github.com/aws/res/issues/149", "tags": ["patch"]}, {"url": "https://aws.amazon.com/security/security-bulletins/2026-014-aws/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.\n\nTo remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.", "supportingMedia": [{"type": "text/html", "value": "<p>Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) <span>prior to version 2026.03</span> could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.</p><p>To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915 Improperly controlled modification of Dynamically-Determined object attributes"}]}], "providerMetadata": {"orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "shortName": "AMZN", "dateUpdated": "2026-04-06T21:36:45.719Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5708", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:09:25.916Z", "dateReserved": "2026-04-06T16:11:19.068Z", "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "datePublished": "2026-04-06T21:28:03.951Z", "assignerShortName": "AMZN"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:research_and_engineering_studio:*:*:*:*:*:*:*:*", "matchCriteriaId": "37A2F72E-0B0A-4D66-94DA-E0D9D336E9E1", "versionEndExcluding": "2026.03", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.\n\nTo remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment."}], "id": "CVE-2026-5708", "lastModified": "2026-04-10T20:08:48.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}, "published": "2026-04-06T22:16:25.457", "references": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"], "url": "https://aws.amazon.com/security/security-bulletins/2026-014-aws/"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Exploit", "Mitigation", "Issue Tracking"], "url": "https://github.com/aws/res/issues/149"}, {"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"], "url": "https://github.com/aws/res/releases/tag/2026.03"}], "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-915"}], "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2023.11,2025.12.01]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "Research and Engineering Studio (RES)", "source": "cna", "vendor": "AWS"}, "product": "research_and_engineering_studio", "vendor": "aws"}], "analysis": {"en": {"generated_at": "2026-04-10T21:52:12.989302+00:00", "value": {"mitigation_remediation": ["Upgrade to AWS RES version 2026.03 or newer.", "If an upgrade cannot be performed immediately, apply the mitigation patch provided by AWS for the affected version.", "Ensure session attributes are fully validated before being applied during session creation.", "Restrict CreateSession API access to only necessary administrative accounts.", "Monitor RES logs for unauthorized or anomalous session creation attempts."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Session Creation"}, "threat_synthesis": {"affected_systems": "AWS Research and Engineering Studio instances running any version prior to 2026.03 are impacted. The vulnerability resides in the session creation component used by customers who deploy RES for virtual desktop management.", "description_and_impact": "Unsanitized control of user\u2011modifiable attributes in the CreateSession API of AWS Research and Engineering Studio allows an authenticated user to supply crafted parameters that cause the system to grant the virtual desktop host instance profile permissions to that request. This results in privilege escalation, letting the attacker access AWS resources and services beyond the intended scope. The weakness is CWE\u2011915 and leads to unauthorized access to the host environment.", "risk_and_exploitability": "The base CVSS score of 8.7 indicates high severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to be an authenticated RES user, who can then craft a malicious API request to the CreateSession endpoint to elevate privileges."}}}}, "created": "2026-04-07T06:53:55.012661+00:00", "updated": "2026-04-13T14:27:32.420172+00:00", "vendors": ["aws", "aws$PRODUCT$research_and_engineering_studio"]}