OS Command Injection Vulnerability in AWS Research and Engineering Studio
CVE-2026-5707

8.7HIGH

Key Information:

Vendor

Aws

Status
Research And Engineering Studio (res)
Vendor
CVE Published:
6 April 2026

What is CVE-2026-5707?

An OS command injection vulnerability exists in the handling of virtual desktop session names within AWS Research and Engineering Studio versions 2025.03 to 2025.12.01. This flaw allows a remote authenticated user to execute arbitrary commands on the virtual desktop host by crafting a malicious session name, compromising the integrity and security of the system. Users are recommended to upgrade to version 2026.03 or apply the appropriate patch to mitigate this risk.

Affected Version(s)

Research and Engineering Studio (RES) 2025.03 <= 2025.12.01

References

https://github.com/aws/res/releases/tag/2026.03
release-notes
https://github.com/aws/res/issues/151
patch
https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.