Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin

0
Low
VulnerabilityCVE-2026-14265remotercejava
Published: 07/01/2026 (07/01/2026, 19:40:00 UTC)
Source: AWS Security Bulletins

Description

Bulletin ID: 2026-051-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/01/2026 12:45 PM PDT Description: The AWS Advanced JDBC Wrapper is an open-source JDBC driver wrapper that extends a JDBC driver to enable Amazon Aurora and AWS Cloud features such as failover handling and caching. We identified CVE-2026-14265, an issue in the RemoteQueryCachePlugin of the AWS Advanced JDBC Wrapper. When this plugin is enabled, query results read from the shared Redis/Valkey cache are deserialized without class filtering. An actor with write access to the shared cache infrastructure could insert a crafted serialized Java object that, when read by an application, results in execution of arbitrary code on the application server. Impacted versions: >=3.3.0 AND <=4.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Affected software

com.amazonaws/advanced-jdbc-wrapper
pkg:maven/com.amazonaws/advanced-jdbc-wrapper
Affected versions
=3.3.0=4.0.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/01/2026, 19:48:28 UTC

Technical Analysis

The AWS Advanced JDBC Wrapper's RemoteQueryCachePlugin deserializes cached query results from a shared Redis/Valkey cache without proper class filtering. This allows an attacker who can write to the shared cache to insert malicious serialized Java objects that lead to remote code execution on the application server when deserialized. The vulnerability affects versions >=3.3.0 and <=4.0.0 and has been addressed in version 4.0.1. Mitigations include disabling the plugin or restricting write access to the cache infrastructure.

Potential Impact

An attacker with write access to the shared Redis/Valkey cache can execute arbitrary code on the application server by inserting crafted serialized Java objects. This can lead to full compromise of the affected application environment. The vulnerability requires the RemoteQueryCachePlugin to be enabled and attacker write access to the cache infrastructure.

Mitigation Recommendations

A fix is available in AWS Advanced JDBC Wrapper version 4.0.1. Users should upgrade to this version or later. If immediate upgrade is not possible, disable the RemoteQueryCachePlugin (which is not enabled by default) and restrict write access to the Redis/Valkey cache infrastructure to trusted principals only.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://aws.amazon.com/security/security-bulletins/rss/2026-051-aws/","fetched":true,"fetchedAt":"2026-07-01T19:48:22.389Z","wordCount":212}

Threat ID: 6a456f0627e9c79719082ae5

Added to database: 07/01/2026, 19:48:22 UTC

Last enriched: 07/01/2026, 19:48:28 UTC

Last updated: 07/02/2026, 03:24:14 UTC

Views: 14

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses