CVE-2026-14904 in Research and Engineering Studioinfo

Summary

by MITRE • 07/07/2026

AWS Research and Engineering Studio (RES) is an open-source solution that enables researchers and engineers to create and manage secure virtual desktops and computing resources on AWS.



Improper link resolution before file access issue (CWE-59) in the Auth.GetUserPrivateKey API. An authenticated remote user could read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key file (~/.ssh/id_rsa) with a symbolic link targeting any file on the host. Because the cluster-manager process runs as root, any file readable by root is exposed, including other users' SSH private keys and application configuration secrets.



It's recommended to upgrade to RES version 2026.06.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/07/2026

The AWS Research and Engineering Studio (RES) represents a sophisticated open-source platform designed to facilitate secure virtual desktop creation and computing resource management within AWS environments. This system serves as a critical infrastructure component for research and engineering teams requiring isolated computational environments while maintaining security boundaries. The platform's architecture includes multiple components working in concert, with the cluster-manager EC2 instance serving as a central control point responsible for managing user access and resource allocation. The vulnerability identified affects the Auth.GetUserPrivateKey API endpoint which handles authentication and key management operations within this distributed system.

The technical flaw manifests through improper link resolution prior to file access, specifically classified under CWE-59 which addresses inadequate handling of symbolic links during file operations. This vulnerability occurs when the system processes user-provided SSH private key files without properly validating or sanitizing symbolic link references before accessing them. The authentication mechanism allows remote users to submit their own SSH private keys through the API, but due to insufficient input validation, malicious actors can substitute legitimate key files with carefully crafted symbolic links pointing to sensitive targets within the filesystem. When the system processes these symbolic links without proper resolution checks, it follows the link and accesses the target file as if it were the original user key, bypassing normal access controls and security boundaries.

The operational impact of this vulnerability extends far beyond simple unauthorized file access, representing a critical privilege escalation vector that can compromise entire system security postures. Since the cluster-manager process executes with root privileges, any file accessible to the root user becomes potentially exploitable through this attack pathway. This includes sensitive information such as other users' SSH private keys, application configuration files containing database credentials or API tokens, and system-level secrets stored in configuration management systems. The vulnerability essentially allows an authenticated attacker to perform lateral movement across the cluster, potentially accessing data belonging to other researchers or engineers, compromising the isolation guarantees that RES is designed to provide. This type of attack aligns with ATT&CK technique T1078.004 which covers valid accounts and credential access through privilege escalation mechanisms.

The exploitation scenario begins with an authenticated user leveraging the legitimate API endpoint to upload their SSH key, followed by replacing the actual key file with a symbolic link pointing to a target file of interest. This attack pattern demonstrates how seemingly benign file handling operations can create security vulnerabilities when proper input validation and resolution procedures are not implemented. The root cause lies in the lack of proper file system access controls during symbolic link processing, where the system assumes all files are legitimate without validating their actual nature or resolving any potential links before access. Security practitioners should recognize this as a classic example of how insufficient input sanitization can lead to severe privilege escalation vulnerabilities, particularly in systems handling user-provided content with elevated privileges.

Mitigation strategies must address both immediate remediation and long-term architectural improvements to prevent similar vulnerabilities. The recommended upgrade to RES version 2026.06 represents the primary defensive measure, as this release includes proper symbolic link resolution validation and enhanced file access controls within the affected API endpoint. Organizations should also implement additional monitoring around file system operations involving user-provided content, particularly in privileged processes that handle authentication credentials. The solution demonstrates the importance of following secure coding practices such as implementing proper path resolution checks, using safe file handling functions, and ensuring that elevated privilege processes maintain strict input validation boundaries. From a compliance perspective, this vulnerability highlights the need for regular security assessments and timely patch management to address known vulnerabilities in open-source components used within enterprise environments.

Responsible

AMZN

Reservation

07/06/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!