PatchSiren cyber security CVE debrief
CVE-2026-11401 AWS CVE debrief
CVE-2026-11401 is a HIGH severity vulnerability with a CVSS score of 8.6. An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL allows a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper.
- Vendor
- AWS
- Product
- AWS Advanced Go Wrapper
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-05
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-05
Who should care
Users of AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL should be aware of this vulnerability and take action to remediate.
Technical summary
The vulnerability is caused by an untrusted search path issue in the GlobalDatabasePlugin. A remote authenticated low-privilege actor can exploit this vulnerability to escalate privileges to those of another Amazon RDS user, including rds_superuser.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to the AWS Advanced Go Wrapper release 2026-05-26
Evidence notes
The CVE was published on 2026-06-05T20:17:28.883Z and modified on 2026-06-05T20:49:22.527Z. The vulnerability has been assigned a CVSS score of 8.6 and a severity of HIGH.
Official resources
-
CVE-2026-11401 CVE record
CVE.org
-
CVE-2026-11401 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ff89ba41-3aa1-4d27-914a-91399e9639e5
-
Source reference
ff89ba41-3aa1-4d27-914a-91399e9639e5
-
Source reference
ff89ba41-3aa1-4d27-914a-91399e9639e5
CVE-2026-11401 was published on 2026-06-05T20:17:28.883Z and modified on 2026-06-05T20:49:22.527Z.