CVE-2026-14904

Source
https://cve.org/CVERecord?id=CVE-2026-14904
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14904.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-14904
Published
2026-07-07T16:37:58.362Z
Modified
2026-07-10T03:54:11.754383717Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
RES Auth.GetUserPrivateKey Arbitrary File Read
Details

AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS.

Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets.

It's recommended to upgrade to RES version 2026.06.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14904.json",
    "cna_assigner": "AMZN",
    "cwe_ids": [
        "CWE-59"
    ]
}
References

Affected packages

Git / github.com/aws/res

Affected ranges

Type
GIT
Repo
https://github.com/aws/res
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2026.03"
        }
    ]
}

Affected versions

2023.*
2023.11
2024.*
2024.01
2024.01.01
2024.04
2024.04.01
2024.04.02
2024.08
2024.10
2024.12
2024.12.01
2025.*
2025.03
2025.06
2025.06.01
2025.09
2025.12
2025.12.01
2026.*
2026.03

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14904.json"