CVE-2026-5708
Published: 06 April 2026
Summary
CVE-2026-5708 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Amazon Research And Engineering Studio. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses unsanitized user-modifiable attributes by requiring validation of inputs during session creation to block crafted API requests that enable privilege escalation.
Enforces approved authorizations for access to system resources, preventing authenticated low-privilege users from assuming virtual desktop host instance profile permissions via improper session attributes.
Restricts privileges to least necessary for users and processes, limiting the scope of escalation and impact when assuming virtual desktop host instance profile permissions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables low-privilege authenticated users to escalate privileges via crafted API requests exploiting improper input validation in AWS RES session creation, directly facilitating T1068 (Exploitation for Privilege Escalation) and T1210 (Exploitation of Remote Services).
NVD Description
Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact…
more
with AWS resources and services via a crafted API request. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigation patch to their existing environment.
Deeper analysisAI
CVE-2026-5708 affects the session creation component in AWS Research and Engineering Studio (RES) versions prior to 2026.03, stemming from unsanitized control of user-modifiable attributes (CWE-915). This vulnerability enables improper validation of user inputs during session creation, potentially leading to unauthorized privilege modifications. Published on 2026-04-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated remote user with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N) by sending a crafted API request. Exploitation allows the attacker to escalate privileges, assume the permissions of the virtual desktop host instance profile, and interact with AWS resources and services.
AWS advisories recommend upgrading to RES version 2026.03 or applying the corresponding mitigation patch to existing environments. Details are available in the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-014-aws/, the related GitHub issue at https://github.com/aws/res/issues/149, and the release page at https://github.com/aws/res/releases/tag/2026.03.
Details
- CWE(s)