PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14265 AWS CVE debrief

The CVE record for CVE-2026-14265 was published on 2026-07-01T20:17:08.087Z and has not been modified since then. The NVD entry is currently Analyzed. This vulnerability affects Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0, specifically the RemoteQueryCachePlugin, which uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey. This allows an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The vulnerability has a CVSS score of 7.7 and is considered HIGH severity. Users of affected versions should upgrade to AWS Advanced JDBC Wrapper version 4.0.1 or later to mitigate this vulnerability.

Vendor
AWS
Product
AWS Advanced JDBC Wrapper
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-01
Original CVE updated
2026-07-09
Advisory published
2026-07-01
Advisory updated
2026-07-09

Who should care

Users of Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 4.0.1 or later, reviewing and limiting access to the shared cache infrastructure, and monitoring for suspicious activity in the cache. Affected operators, platforms, and security teams should prioritize this vulnerability due to its potential impact on application servers and cached query results.

Technical summary

Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned.

Defensive priority

High

Recommended defensive actions

  • Upgrade to AWS Advanced JDBC Wrapper version 4.0.1 or later
  • Review and limit access to the shared cache infrastructure
  • Monitor for suspicious activity in the cache
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD entry provide details on the vulnerability and its potential impact. Users should review the vendor's advisory and mitigation guidance. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and apply mitigations according to vendor guidance. Additional information may be necessary to fully understand the vulnerability and its implications.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T20:17:08.087Z and has not been modified since then. The NVD entry is currently Analyzed.