🔴 Critical  |  Source: AWS Security Bulletins


A path traversal vulnerability (CVE-2026-14904) in AWS Research and Engineering Studio (RES) allows any authenticated user to read arbitrary files on the cluster-manager EC2 instance by replacing their SSH private key with a symbolic link. Because the cluster-manager process runs as root, attackers can access highly sensitive files including other users’ SSH private keys and application secrets. All RES versions up to and including 2026.03 are affected.

Security Architect’s Take: Upgrade AWS RES to a version beyond 2026.03 immediately; if patching is not immediately possible, restrict access to the Auth.GetUserPrivateKey API and audit the cluster-manager instance for any unexpected symbolic links in user SSH directories. Review who has authenticated access to RES environments and treat any exposed SSH keys or secrets as compromised.

Original advisory: CVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio