Bulletin ID: 2026-038-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/02/2026 12:15 PM PDT

Description:

Graph Explorer is an open source application that provides visualization and exploration of data in graph databases such as Amazon Neptune. We identified CVE-2026-10584 where, under certain circumstances, the server silently falls back to HTTP when HTTPS is enabled but certificates are unavailable, resulting in cleartext transmission of sensitive information.

Impacted versions: >= 1.1.0 AND < 3.0.1

Resolution:

This issue has been addressed in Graph Explorer version 3.0.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

If you cannot upgrade immediately, please take the following actions:

• Verify your deployment is actually serving over HTTPS by checking the protocol in the browser or via curl
• Ensure HOST is set in your docker run command so certificates are generated correctly
• Avoid using non-default configuration directory paths when relying on automatic self-signed certificate generation

References:

• CVE-2026-10584
• GHSA-r6vr-4rxc-x6q4

Acknowledgement:

We would like to thank Eduardo Caro for collaborating on this issue through the coordinated vulnerability disclosure process.

Please email aws-security@amazon.com with any security questions or concerns.