CVE-2026-14265
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned.
We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AWS | AWS Advanced JDBC Wrapper | 3.3.0 <= 4.0.0 | affected |
Weaknesses
- CWE-502: CWE-502 Deserialization of untrusted data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/aws/aws-advanced-jdbc-wrapper/releases/tag/4.0.1
- https://aws.amazon.com/security/security-bulletins/2026-051-aws/
- https://github.com/aws/aws-advanced-jdbc-wrapper/security/advisories/GHSA-c5q4-97jw-jggh
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.