AWS RES Session Attr Flaw Enables Priv Escalation, Fixed 2026.03
CVE-2026-5708 Published on April 6, 2026
Improper Control of User-Modifiable Attributes in RES CreateSession API
Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request.
To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
Vulnerability Analysis
CVE-2026-5708 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Mass Assignment Vulnerability?
The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
CVE-2026-5708 has been classified to as a Mass Assignment vulnerability or weakness.
Products Associated with CVE-2026-5708
Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.
Affected Versions
AWS Research and Engineering Studio (RES):- Version 2023.11, <= 2025.12.01 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.