Description
Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.

To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
Published: 2026-04-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Session Creation
Action: Immediate Patch
AI Analysis

Impact

Unsanitized control of user‑modifiable attributes in the CreateSession API of AWS Research and Engineering Studio allows an authenticated user to supply crafted parameters that cause the system to grant the virtual desktop host instance profile permissions to that request. This results in privilege escalation, letting the attacker access AWS resources and services beyond the intended scope. The weakness is CWE‑915 and leads to unauthorized access to the host environment.

Affected Systems

AWS Research and Engineering Studio instances running any version prior to 2026.03 are impacted. The vulnerability resides in the session creation component used by customers who deploy RES for virtual desktop management.

Risk and Exploitability

The base CVSS score of 8.7 indicates high severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be an authenticated RES user, who can then craft a malicious API request to the CreateSession endpoint to elevate privileges.

Generated by OpenCVE AI on April 10, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AWS RES version 2026.03 or newer.
  • If an upgrade cannot be performed immediately, apply the mitigation patch provided by AWS for the affected version.
  • Ensure session attributes are fully validated before being applied during session creation.
  • Restrict CreateSession API access to only necessary administrative accounts.
  • Monitor RES logs for unauthorized or anomalous session creation attempts.

Generated by OpenCVE AI on April 10, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon research And Engineering Studio
CPEs cpe:2.3:a:amazon:research_and_engineering_studio:*:*:*:*:*:*:*:*
Vendors & Products Amazon
Amazon research And Engineering Studio

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Aws
Aws research And Engineering Studio
Vendors & Products Aws
Aws research And Engineering Studio

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
Title Improper Control of User-Modifiable Attributes in RES CreateSession API
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Research And Engineering Studio
Aws Research And Engineering Studio
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-07T15:09:25.916Z

Reserved: 2026-04-06T16:11:19.068Z

Link: CVE-2026-5708

cve-icon Vulnrichment

Updated: 2026-04-07T14:48:49.211Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T22:16:25.457

Modified: 2026-04-10T20:08:48.217

Link: CVE-2026-5708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:32Z

Weaknesses