How is CVE-2026-11400 exploited?

Network reachability (required): The attacker must reach the Aurora cluster and its connection layer over the network; the affected plugin is exercised during remote database connections, so network access to the service is a prerequisite. Authentication (required): Any low-privilege Amazon RDS account is sufficient; the attacker must be able to authenticate to the cluster and create database functions, but no administrative credentials are needed to initiate the attack. Victim interaction (required): A higher-privileged user must connect to the Aurora cluster through the affected wrapper after the malicious function has been planted, making this a social-engineering or timing-dependent vector that requires another user's action. Attack complexity (info): The exploit is reliable and condition-free once the crafted function is in place; no race conditions, special memory layout, or unpredictable environmental factors are required to trigger privilege escalation on the victim's next connection.

What is the impact of CVE-2026-11400?

The attacker inherits the full privilege set of the targeted RDS user, including rds_superuser if that user is the victim, allowing unrestricted reads across all database objects and stored data in the Aurora cluster. All data in the cluster can be modified or deleted under the escalated identity, including rows, schemas, and configuration objects the original low-privilege account cannot touch. The attacker can create, alter, or drop database roles and grant themselves or others persistent elevated access, leaving backdoors that survive after the initial exploitation window closes. Availability of the database service can be disrupted by an rds_superuser-level actor terminating connections, dropping critical objects, or exhausting server resources.

Back to search

HIGHCVE-2026-11400Published 2026-06-05Modified 2026-06-05CNA AMZN

CVE-2026-11400: Privilege Escalation in AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through an affected wrapper. To remediate this issue, users should upgrade to AWS Advanced JDBC Wrapper version 4.0.1.

CVSS v4.0: 8.6
Severity: HIGH
Fixed in: 4.0.1
Affected Products: 1

HarborGuard Analysis

Synopsis

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows a remote, low-privileged authenticated attacker to escalate their database privileges to those of any other Amazon RDS user, including rds_superuser. The attack is carried out by the authenticated attacker planting a crafted function in a location the plugin searches at connection time; when a higher-privileged user subsequently connects to the Aurora cluster through the affected wrapper, that function executes under their identity. Successful exploitation gives the attacker full access to data and operations permitted to the targeted user, up to and including superuser-level control. A patched-image rebuild at version 4.0.1 is available on HarborGuard for environments running an affected version of the wrapper.

HarborGuard Coverage

Detection

Detection of CVE-2026-11400 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the AWS Advanced JDBC Wrapper. Any image containing an affected version (3.0.0 through below 4.0.1) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

Triage capability is available with the CVSS v4.0 score of 8.6 (HIGH) applied immediately on match, and per-environment compliance policy weighting can promote or adjust priority before the finding is routed to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at AWS Advanced JDBC Wrapper 4.0.1 becomes available on HarborGuard the moment the fix version is indexed from the upstream release feed. For customers who opt into auto-remediation, HarborGuard can rebuild the affected image, run a regression test suite, and open a pull request against affected workloads automatically, without requiring manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Aurora cluster and its connection layer over the network; the affected plugin is exercised during remote database connections, so network access to the service is a prerequisite.
AuthenticationRequired
Any low-privilege Amazon RDS account is sufficient; the attacker must be able to authenticate to the cluster and create database functions, but no administrative credentials are needed to initiate the attack.
Victim interactionRequired
A higher-privileged user must connect to the Aurora cluster through the affected wrapper after the malicious function has been planted, making this a social-engineering or timing-dependent vector that requires another user's action.
Attack complexityDetail
The exploit is reliable and condition-free once the crafted function is in place; no race conditions, special memory layout, or unpredictable environmental factors are required to trigger privilege escalation on the victim's next connection.

Blast Radius

The attacker inherits the full privilege set of the targeted RDS user, including rds_superuser if that user is the victim, allowing unrestricted reads across all database objects and stored data in the Aurora cluster.
All data in the cluster can be modified or deleted under the escalated identity, including rows, schemas, and configuration objects the original low-privilege account cannot touch.
The attacker can create, alter, or drop database roles and grant themselves or others persistent elevated access, leaving backdoors that survive after the initial exploitation window closes.
Availability of the database service can be disrupted by an rds_superuser-level actor terminating connections, dropping critical objects, or exhausting server resources.

How HarborGuard Handles This

Available on HarborGuard: any image containing AWS Advanced JDBC Wrapper versions 3.0.0 through below 4.0.1 is detected automatically against the published advisory within minutes of CVE ingestion. A rebuilt image pinned to version 4.0.1 becomes available as soon as the fix version is indexed. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image at the patched version, executes the configured regression test suite, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed with the CVSS 8.6 HIGH score and full exploit context to the designated team inbox so reviewers have the information needed to act quickly. No compensating controls fully substitute for the version upgrade given the authenticated-but-low-privilege attack surface, but network policy restrictions limiting which principals can create functions in shared schemas reduce the window of opportunity while a patch is being applied.

See how HarborGuard automates this

Fix available

4.0.1

Patch commits

github.com

Affected packages

AWS / AWS Advanced JDBC Wrapper
< 4.0.1 (from 3.0.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available