Remote Code Execution Flaw in AWS Research and Engineering Studio
CVE-2026-5709

7.7HIGH

Key Information:

Vendor

Aws

Status
Research And Engineering Studio (res)
Vendor
CVE Published:
6 April 2026

What is CVE-2026-5709?

The FileBrowser API in AWS Research and Engineering Studio versions 2024.10 to 2025.12.01 contains a vulnerability that permits a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance. This issue arises from unsanitized input that can be manipulated while using the FileBrowser functionality. To mitigate this risk, users are advised to upgrade to version 2026.03 or apply the relevant patch to their current installation.

Affected Version(s)

Research and Engineering Studio (RES) 2024.10 <= 2025.12.01

References

https://github.com/aws/res/releases/tag/2026.03
release-notes
https://github.com/aws/res/issues/150
patch
https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.