CVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio
Bulletin ID: 2026-053-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 07/07/2026 09:30 AM PDT
Description:
AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS.
We identified an improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets.
Impacted versions: <=2026.03
Resolution:
This issue has been addressed in RES version 2026.06. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds:
For customers unable to upgrade immediately, patch scripts are available for the past three major versions. Detailed patching instructions are available on the RES GitHub wiki.
References:
Please email aws-security@amazon.com with any security questions or concerns.