🟠 High  |  Source: AWS Security Bulletins


A deserialization vulnerability (CVE-2026-14265) has been identified in the AWS Advanced JDBC Wrapper’s RemoteQueryCachePlugin, affecting versions 3.3.0 through 4.0.0. When the plugin is enabled, query results retrieved from a shared Redis or Valkey cache are deserialized without any class filtering, meaning an attacker with write access to that cache could plant a malicious serialized object and achieve remote code execution on the application server. The blast radius is significant for any application using this plugin with a shared, multi-tenant or externally accessible cache.

Security Architect’s Take: Audit all deployments of AWS Advanced JDBC Wrapper versions 3.3.0–4.0.0 and disable the RemoteQueryCachePlugin immediately if a patched version cannot be applied; additionally, restrict write access to the shared Redis/Valkey cache to trusted application principals only and treat the cache tier as a sensitive trust boundary.

Original advisory: CVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin