AWS RES fixes command injection and privilege escalation flaws
TL;DR — AWS warns that authenticated RES users can trigger OS command injection and session-creation privilege escalation, potentially reaching root on virtual desktop hosts and AWS credentials via instance profiles.
What happened
Research and Engineering Studio (RES) on AWS is an open-source web portal for provisioning and managing cloud-based research/engineering environments. AWS published security bulletin 2026-014-AWS describing three issues in RES: two OS command injection paths and one privilege escalation bug in session creation.
Per AWS and the associated CVE records, the impact spans (1) OS command injection via virtual desktop session name handling, (2) privilege escalation by modifying user-controllable attributes during session creation to assume the virtual desktop host instance profile permissions, and (3) command injection via the FileBrowser API that can execute commands on the cluster-manager EC2 instance.
This is a high-risk pattern for platform teams because these are control-plane issues in an administrative portal: even when “authenticated,” a low-privileged or compromised user account can become a pivot into host-level code execution and AWS resource access.
Who is impacted
- Organizations running AWS RES versions called out as impacted by AWS (AWS lists impacted versions as
<= 2025.12.01). - Environments where RES is reachable by broad internal populations (e.g., many researchers/engineers) or where accounts are federated and therefore susceptible to credential-stuffing or IdP compromise.
| CVE | Issue type | Impact (as described by source) | Affected versions (source) |
|---|---|---|---|
CVE-2026-5707 | OS command injection (CWE-78) | Authenticated actor may execute arbitrary commands as root on the virtual desktop host via a crafted session name | 2025.03 through 2025.12.01 |
CVE-2026-5708 | Attribute injection / privilege escalation (CWE-915) | Authenticated user may escalate privileges and assume virtual desktop host instance profile permissions via a crafted API request | versions prior to 2026.03 (CVE record lists 2023.11 through 2025.12.01) |
CVE-2026-5709 | OS command injection (CWE-78) | Authenticated actor may execute arbitrary commands on the cluster-manager EC2 instance via FileBrowser crafted input | 2024.10 through 2025.12.01 |
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
"This issue has been addressed in RES version 2026.03. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes."
- If you cannot upgrade immediately, use the vendor-provided mitigation patches and instructions referenced from the bulletin.
- Treat this as a potential cloud-credential exposure scenario:
- review which AWS roles/instance profiles RES components can assume in your deployment
- audit RES API usage and administrative actions around session creation, FileBrowser functionality, and virtual desktop session naming
- if compromise is suspected, rotate credentials accessible to the impacted RES components and review CloudTrail activity for unexpected use of assumed roles
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.