AWS Advanced JDBC Wrapper 3.3-4.0 RemoteQueryCachePlugin Deserialization RCE
CVE-2026-14265 Published on July 1, 2026
RCE via Deserialization in AWS Advanced JDBC Wrapper
Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned.
We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.
Vulnerability Analysis
CVE-2026-14265 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2026-14265 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2026-14265
stack.watch emails you whenever new vulnerabilities are published in Aws Advanced Jdbc Wrapper or Amazon Aws. Just hit a watch button to start following.
Affected Versions
AWS Advanced JDBC Wrapper:- Version 3.3.0, <= 4.0.0 is affected.