AWS RES patched urgently

AWS Research and Engineering Studio is the kind of tool a lab or engineering team uses to hand people a ready-made cloud desktop, with files, apps, and permissions already wired up. In Amazon’s own description, it is a web portal where administrators spin up Windows or Linux virtual desktops on Amazon Elastic Compute Cloud for scientists and engineers. (github.com) (aws.amazon.com) That setup only works if the portal is strict about what a user can name, request, or pass into it. If the portal treats user input like trusted instructions, a normal account can sometimes turn a text field into a command line. (aws.amazon.com) Amazon said on April 6, 2026 that three security flaws in Research and Engineering Studio had been fixed in version 2026.03. Two bugs could let an authenticated user run arbitrary commands, and one could let an authenticated user take on the permissions of the virtual desktop host’s instance profile. (aws.amazon.com) One flaw, tracked as CVE-2026-5707, sat in session name handling. Amazon said versions 2025.03 through 2025.12.01 could let a remote authenticated actor execute arbitrary commands as root on the virtual desktop host through a crafted session name. (aws.amazon.com) Another flaw, CVE-2026-5709, was in the FileBrowser application programming interface, which is the file manager layer people use to browse and move data. Amazon said versions 2024.10 through 2025.12.01 could let a remote authenticated actor execute arbitrary commands on the cluster-manager Elastic Compute Cloud instance through crafted input. (aws.amazon.com) The third flaw, CVE-2026-5708, was a privilege-escalation bug in session creation. Amazon said a crafted application programming interface request could let an authenticated user inject an external instance profile and then interact with other Amazon Web Services resources using the virtual desktop host’s permissions. (aws.amazon.com) (docs.aws.amazon.com) Version 2026.03 shipped on March 26, 2026 with new admin features, but the release notes also quietly carried the security fixes. Amazon’s documentation lists three specific repairs: a privilege-escalation fix in FileBrowser, a cross-user remote code execution fix via session name injection, and a fix for using an external instance profile Amazon Resource Name during session creation. (aws.amazon.com) (docs.aws.amazon.com) (github.com) This is more urgent than a normal patch note because Research and Engineering Studio is open source and meant to be deployed and customized by customers. Amazon explicitly told users to upgrade and to make sure any forked or derivative code also pulls in the fixes, which means teams running their own modified copies do not get protected just because Amazon updated the main project. (aws.amazon.com) (github.com) Amazon also published mitigation instructions for older deployments, but the bulletin points to version 2026.03 as the resolution. If a team is still on 2025.12.01 or earlier, the risky paths Amazon named are session names, FileBrowser input, and session creation requests that touch instance profiles. (aws.amazon.com) (github.com) The short version is that this was not a bug in some hidden back-end service nobody touches. It was a bug in the control panel that decides who gets a cloud desktop, what that desktop can do, and which Amazon Web Services permissions ride along with it. (github.com) (aws.amazon.com)