Description
Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality.

To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
Published: 2026-04-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An input sanitization flaw in the FileBrowser API of AWS Research and Engineering Studio permits a remote authenticated user to craft a request that causes the cluster‑manager EC2 instance to execute arbitrary shell commands, granting full remote code execution and compromising confidentiality, integrity, and availability of the affected environment. This defect corresponds to the Command Injection weakness identified by CWE‑78.

Affected Systems

The vulnerability affects Amazon’s Research and Engineering Studio, versions 2024.10 through 2025.12.01. It exists within the FileBrowser functionality that operates on the cluster‑manager EC2 instance used by RES deployments.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity, while an EPSS score of less than 1% suggests that active exploitation in the wild is currently rare. The issue is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the RES API, meaning the attacker must possess user credentials with at least normal RES privileges. The typical attack path—sending a malicious request to the FileBrowser endpoint to trigger commands on the underlying EC2 instance—is inferred from the description.

Generated by OpenCVE AI on April 10, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AWS Research and Engineering Studio to version 2026.03 or later so that the command injection flaw is removed.
  • If upgrading is not immediately possible, apply the mitigation patch released for this issue to the existing RES environment.
  • After applying the fix, verify that the RES service reports a non‑vulnerable release by checking the version reported by the API or documentation.

Generated by OpenCVE AI on April 10, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon research And Engineering Studio
CPEs cpe:2.3:a:amazon:research_and_engineering_studio:*:*:*:*:*:*:*:*
Vendors & Products Amazon
Amazon research And Engineering Studio

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Aws
Aws research And Engineering Studio
Vendors & Products Aws
Aws research And Engineering Studio

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
Title AWS Research and Engineering Studio (RES) FileBrowser Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Research And Engineering Studio
Aws Research And Engineering Studio
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-07T15:09:14.126Z

Reserved: 2026-04-06T16:11:19.793Z

Link: CVE-2026-5709

cve-icon Vulnrichment

Updated: 2026-04-07T14:47:49.695Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T22:16:25.627

Modified: 2026-04-10T20:03:29.473

Link: CVE-2026-5709

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:27:31Z

Weaknesses