PT-2026-54642 · Amazon · Aws Advanced Jdbc Wrapper

Davecramer

·

Published

2026-07-01

·

Updated

2026-07-02

·

CVE-2026-14265

CVSS v3.1

7.5

High

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions AWS Advanced JDBC Wrapper versions 3.3.0 through 4.0.0
Description Deserialization of untrusted data in the RemoteQueryCachePlugin allows an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers. The issue occurs because the RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, which enables gadget chain execution if cache entries are poisoned.
Recommendations Upgrade AWS Advanced JDBC Wrapper to version 4.0.1 or later.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-14265

Affected Products

Aws Advanced Jdbc Wrapper