CVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin
Bulletin ID: 2026-051-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/01/2026 12:45 PM PDT Description: The AWS Advanced JDBC Wrapper is an open-source JDBC driver wrapper that extends a JDBC driver to enable Amazon Aurora and AWS Cloud features such as failover handling and caching. We identified CVE-2026-14265, an issue in the RemoteQueryCachePlugin of the AWS Advanced JDBC Wrapper. When this plugin is enabled, query results read from the shared Redis/Valkey cache are deserialized without class filtering. An actor with write access to the shared cache infrastructure could insert a crafted serialized Java object that, when read by an application, results in execution of arbitrary code on the application server. Impacted versions: >=3.3.0 AND <=4.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
AI Analysis
Technical Summary
The AWS Advanced JDBC Wrapper's RemoteQueryCachePlugin deserializes cached query results from a shared Redis/Valkey cache without proper class filtering. This allows an attacker who can write to the shared cache to insert malicious serialized Java objects that lead to remote code execution on the application server when deserialized. The vulnerability affects versions >=3.3.0 and <=4.0.0 and has been addressed in version 4.0.1. Mitigations include disabling the plugin or restricting write access to the cache infrastructure.
Potential Impact
An attacker with write access to the shared Redis/Valkey cache can execute arbitrary code on the application server by inserting crafted serialized Java objects. This can lead to full compromise of the affected application environment. The vulnerability requires the RemoteQueryCachePlugin to be enabled and attacker write access to the cache infrastructure.
Mitigation Recommendations
A fix is available in AWS Advanced JDBC Wrapper version 4.0.1. Users should upgrade to this version or later. If immediate upgrade is not possible, disable the RemoteQueryCachePlugin (which is not enabled by default) and restrict write access to the Redis/Valkey cache infrastructure to trusted principals only.
CVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin
Description
Bulletin ID: 2026-051-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/01/2026 12:45 PM PDT Description: The AWS Advanced JDBC Wrapper is an open-source JDBC driver wrapper that extends a JDBC driver to enable Amazon Aurora and AWS Cloud features such as failover handling and caching. We identified CVE-2026-14265, an issue in the RemoteQueryCachePlugin of the AWS Advanced JDBC Wrapper. When this plugin is enabled, query results read from the shared Redis/Valkey cache are deserialized without class filtering. An actor with write access to the shared cache infrastructure could insert a crafted serialized Java object that, when read by an application, results in execution of arbitrary code on the application server. Impacted versions: >=3.3.0 AND <=4.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
Affected software
pkg:maven/com.amazonaws/advanced-jdbc-wrapperRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The AWS Advanced JDBC Wrapper's RemoteQueryCachePlugin deserializes cached query results from a shared Redis/Valkey cache without proper class filtering. This allows an attacker who can write to the shared cache to insert malicious serialized Java objects that lead to remote code execution on the application server when deserialized. The vulnerability affects versions >=3.3.0 and <=4.0.0 and has been addressed in version 4.0.1. Mitigations include disabling the plugin or restricting write access to the cache infrastructure.
Potential Impact
An attacker with write access to the shared Redis/Valkey cache can execute arbitrary code on the application server by inserting crafted serialized Java objects. This can lead to full compromise of the affected application environment. The vulnerability requires the RemoteQueryCachePlugin to be enabled and attacker write access to the cache infrastructure.
Mitigation Recommendations
A fix is available in AWS Advanced JDBC Wrapper version 4.0.1. Users should upgrade to this version or later. If immediate upgrade is not possible, disable the RemoteQueryCachePlugin (which is not enabled by default) and restrict write access to the Redis/Valkey cache infrastructure to trusted principals only.
Technical Details
- Article Source
- {"url":"https://aws.amazon.com/security/security-bulletins/rss/2026-051-aws/","fetched":true,"fetchedAt":"2026-07-01T19:48:22.389Z","wordCount":212}
Threat ID: 6a456f0627e9c79719082ae5
Added to database: 07/01/2026, 19:48:22 UTC
Last enriched: 07/01/2026, 19:48:28 UTC
Last updated: 07/02/2026, 03:24:14 UTC
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.