Bulletin ID: 2026-014-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 04/6/2026 2:00 PM PST

Description:

Research and Engineering Studio (RES) on AWS is an open source, web portal design for administrators to create and manage secure cloud-based research and engineering environments. We have identified the following issues with the AWS Research and Engineering Studio (RES).

CVE-2026-5707: Unsanitized input in an OS Command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name.

CVE-2026-5708: Improper control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) before version 2026.03 might allow an authenticated remote user to escalate privileges and assume the Virtual Desktop Host instance profile permissions and interact with other AWS resources and services via a crafted API request.

CVE-2026-5709: Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality.

Impacted versions: <= 2025.12.01

Resolution:

This issue has been addressed in RES version 2026.03. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds
User can apply a patch to the existing RES environment following the mitigation instructions [2025.12.01 and earlier] Preventing Command Injection via Session Name, [2025.12.01 and earlier] Privilege Escalation via Instance Profile Injection, or [2025.12.01 and earlier] Command injection via FileBrow.

 

Please email aws-security@amazon.com with any security questions or concerns.