๐Ÿ” CVE Alert

CVE-2026-14265

HIGH 7.5

RCE via Deserialization in AWS Advanced JDBC Wrapper

CVSS Score
7.5
EPSS Score
0.4%
EPSS Percentile
33th

Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned. We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.

CWE CWE-502
Vendor aws
Product aws advanced jdbc wrapper
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for aws aws advanced jdbc wrapper

Be the first to know when new high vulnerabilities affecting aws aws advanced jdbc wrapper are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

AWS / AWS Advanced JDBC Wrapper
3.3.0 โ‰ค 4.0.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/4.0.1 aws.amazon.com: https://aws.amazon.com/security/security-bulletins/2026-051-aws/ github.com: https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-c5q4-97jw-jggh