Back to overview

CVE-2026-14265

HIGH
7.5
CVSS 3.1
Description
Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned. We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.

Metadata

CVE ID
CVE-2026-14265
State
PUBLISHED
Assigner
AMZN
Reserved
2026-06-30 18:36 UTC
Published
2026-07-01 19:34 UTC
Last updated
2026-07-01 19:38 UTC
Primary CWE
CWE-502
CWE-502 Deserialization of untrusted data
Vendor / Product
AWS / AWS Advanced JDBC Wrapper
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
AWS AWS Advanced JDBC Wrapper 3.3.0 ≤ 4.0.0
Weakness (CWE)
CWESourceDescription
CWE-502 cna CWE-502 Deserialization of untrusted data
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Back to overview