AWS patches three severe RES flaws that could lead to root command execution and privilege escalation
4 min. read 
Published on
Amazon Web Services has published an important security bulletin for Research and Engineering Studio, or RES, covering three vulnerabilities that could let an authenticated attacker run commands or gain broader permissions inside a deployed environment. AWS says all three issues are fixed in RES version 2026.03.
RES is AWS’s open source portal for building and managing cloud-based research and engineering environments. That matters because the product often sits close to high-value data, virtual desktop infrastructure, and connected AWS resources, so a flaw in session handling or backend APIs can have wider consequences than a normal app bug.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The three CVEs are CVE-2026-5707, CVE-2026-5708, and CVE-2026-5709. Two are command injection bugs, and one is a privilege escalation issue tied to session creation. AWS classifies the bulletin as important, while public advisory records rate the individual bugs as high severity.
What each AWS RES vulnerability does
CVE-2026-5707 affects RES versions 2025.03 through 2025.12.01. AWS says unsanitized input in virtual desktop session name handling could let a remote authenticated attacker execute arbitrary commands as root on the virtual desktop host through a crafted session name.
CVE-2026-5708 affects RES versions before 2026.03. AWS says improper control of user-modifiable attributes in the session creation component could let an authenticated remote user escalate privileges, assume the Virtual Desktop Host instance profile permissions, and interact with other AWS resources and services through a crafted API request.
CVE-2026-5709 affects RES versions 2024.10 through 2025.12.01. AWS says unsanitized input in the FileBrowser API could let a remote authenticated attacker execute arbitrary commands on the cluster-manager EC2 instance through crafted input when using FileBrowser functionality.
Why these bugs matter
Taken together, the three flaws create multiple paths for an attacker who already has authenticated access. One path targets the virtual desktop host, another targets the cluster-manager EC2 instance, and the third can expose permissions tied to the virtual desktop host instance profile. That combination can give an attacker room to move deeper into the environment and reach additional AWS services. This conclusion follows directly from AWS’s descriptions of root command execution and instance-profile assumption.
AWS’s March 2026 RES release notes confirm the security fixes in plain language. The company says version 2026.03 fixed a privilege escalation vulnerability in the FileBrowser component, a cross-user remote code execution issue through session name injection, and an issue where an external instance profile ARN could be used during session creation.
That release-note wording also corrects one detail in the sample. The FileBrowser-related issue in the official RES revisions page is described there as a privilege escalation vulnerability, while the AWS security bulletin and CVE entry for CVE-2026-5709 describe arbitrary command execution on the cluster-manager EC2 instance. The safest way to report it is to stick with AWS’s bulletin and CVE text for the impact and note that the release notes summarize the fix more briefly.
Affected versions and fixes
| CVE | Issue type | Affected versions | Official impact | Fixed in |
|---|---|---|---|---|
| CVE-2026-5707 | OS command injection | 2025.03 through 2025.12.01 | Arbitrary commands as root on virtual desktop host | 2026.03 |
| CVE-2026-5708 | Privilege escalation | Before 2026.03 | Can assume Virtual Desktop Host instance profile permissions | 2026.03 |
| CVE-2026-5709 | FileBrowser input flaw | 2024.10 through 2025.12.01 | Arbitrary commands on cluster-manager EC2 instance | 2026.03 |
The official recommendation is simple: upgrade RES to version 2026.03 or newer. AWS also says organizations that maintain forked or derivative code should patch those codebases too, so custom deployments do not remain exposed after the upstream fix ships.
For teams that cannot upgrade right away, AWS points to mitigation patches in the RES GitHub project. One public issue shows manual patch instructions for affected 2025.12.01 and 2025.12 environments, including a patch script and updated component packages.
What administrators should do now
- Upgrade RES environments to version 2026.03 or newer.
- Check whether any deployment still runs versions 2025.12.01 or earlier.
- Apply AWS’s mitigation patch if a full upgrade is not immediately possible.
- Review who has authenticated access to RES, because all three flaws require an authenticated actor.
- Audit use of instance profiles and connected AWS resource permissions, especially in virtual desktop workflows. This is a prudent response because CVE-2026-5708 can let an attacker assume the Virtual Desktop Host instance profile.
FAQ
AWS patched three vulnerabilities in Research and Engineering Studio, including two command injection flaws and one privilege escalation bug.
No. AWS says the vulnerabilities require an authenticated remote attacker.
AWS says RES version 2026.03 contains the fixes for all three issues.
AWS says administrators can apply mitigation patches from the RES GitHub project while planning a full upgrade.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages