CVE-2026-11400 and CVE-2026-11401 - Privilege Escalation in Aurora PostgreSQL using AWS Advanced JDBC Wrapper, AWS Advanced Go Wrapper

Bulletin ID: 2026-039-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 06/05/2026 12:15 PM PDT

Description:

Amazon Aurora PostgreSQL a fully managed relational database engine that's compatible with PostgreSQL.

We identified CVE-2026-11400(JDBC) and CVE-2026-11401(Go), an issue in AWS Wrappers for Amazon Aurora PostgreSQL will allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.

Impacted versions:

AWS Advanced JDBC Wrapper >=3.0.0 and < 4.0.1
AWS Advanced Go Wrapper release 2026-04-06

Resolution:

This issue has been addressed in the AWS Advanced JDBC Wrapper version 4.0.1 and the AWS Advanced Go Wrapper release 2026-05-26. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

Remove the public schema from the search path.

References:

CVE-2026-11400
CVE-2026-11401
AWS Advanced JDBC Wrapper: GHSA-mhww-p97m-3368
AWS Advanced Go Wrapper: GHSA-r236-5pc3-3qcp

Please email aws-security@amazon.com with any security questions or concerns.

CVE-2026-11400 and CVE-2026-11401 - Privilege Escalation in Aurora PostgreSQL using AWS Advanced JDBC Wrapper, AWS Advanced Go Wrapper

Learn

Resources

Developers

Help