Improper Link Resolution in AWS Research and Engineering Studio
CVE-2026-14904
7.1HIGH
What is CVE-2026-14904?
An improper link resolution vulnerability in the Auth.GetUserPrivateKey API of AWS Research and Engineering Studio could allow authenticated remote users to exploit the system. By substituting their SSH private key file with a symbolic link to any file on the host, these users can gain access to sensitive information. Since the cluster-manager process operates with root privileges, files that are readable by root—including other users' SSH private keys and confidential application configuration secrets—are vulnerable to unauthorized access. It is crucial for users to upgrade to version 2026.06 to mitigate this risk.
Affected Version(s)
res 0 <= 2026.03
