Improper Link Resolution in AWS Research and Engineering Studio
CVE-2026-14904

7.1HIGH

Key Information:

Vendor

Aws

Status
Vendor
CVE Published:
7 July 2026

What is CVE-2026-14904?

An improper link resolution vulnerability in the Auth.GetUserPrivateKey API of AWS Research and Engineering Studio could allow authenticated remote users to exploit the system. By substituting their SSH private key file with a symbolic link to any file on the host, these users can gain access to sensitive information. Since the cluster-manager process operates with root privileges, files that are readable by root—including other users' SSH private keys and confidential application configuration secrets—are vulnerable to unauthorized access. It is crucial for users to upgrade to version 2026.06 to mitigate this risk.

Affected Version(s)

res 0 <= 2026.03

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.