HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11401Published Modified CNA AMZN

CVE-2026-11401: Privilege Escalation in AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper. To remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26

Metrics

CVSS v4.0
8.6
Severity
HIGH
Fixed in
2026-05-26
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A privilege escalation vulnerability exists in the GlobalDatabasePlugin component of the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL. The flaw is reachable over the network and requires a low-privilege authenticated account; no admin access is needed. A successful attacker can hijack the session of another Amazon RDS user, including one with rds_superuser rights, by planting a crafted function that executes when that user connects through the affected wrapper. A patched-image rebuild at fix version 2026-05-26 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11401 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the AWS Advanced Go Wrapper. Any image layer containing an affected wrapper version (earlier than the 2026-05-26 release, introduced from 2026-04-06) will be flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.6 HIGH and is capable of weighting that score against each customer environment's compliance policy to determine urgency and escalation path. Triage findings are routable to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to the 2026-05-26 fix release is available on HarborGuard for any environment running an affected wrapper version. For customers who opt into auto-remediation, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Aurora PostgreSQL cluster endpoint over the network through the affected wrapper to deliver the crafted function.

  • AuthenticationRequired

    A valid low-privilege Amazon RDS account is sufficient; no administrative credentials are needed.

  • Victim interactionRequired

    A higher-privilege user (including a potential rds_superuser) must connect to the cluster through the affected wrapper, triggering the attacker's planted function.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions or special environmental factors are required.

Blast Radius

  • The attacker gains the full privileges of the targeted RDS user, including rds_superuser rights if that user is the victim.
  • With superuser-equivalent access, the attacker can read any database object, including stored credentials, application data, and secrets held in the Aurora PostgreSQL cluster.
  • The attacker can modify or delete persisted database rows, schemas, and configuration, corrupting application state or destroying data.
  • Service availability can be disrupted by dropping tables, terminating backend connections, or exhausting cluster resources under the escalated role.

How HarborGuard Handles This

Available on HarborGuard: images containing the AWS Advanced Go Wrapper at any version between 2026-04-06 and the 2026-05-26 fix release are detectable the moment a scan runs or the CVE is ingested. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image at the 2026-05-26 release, executes a regression run, and opens a pull request against impacted workloads; for HIGH-severity issues like this one, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the rebuilt image is staged and a triage alert is routed to the appropriate team for manual review. In the interim, customers can apply compensating controls such as restricting which low-privilege accounts can create functions in shared schemas and enforcing network policy to limit which identities can connect through the GlobalDatabasePlugin path.

See how HarborGuard automates this

Fix available

2026-05-26
Patch commits
Affected packages
  • AWS / AWS Advanced Go Wrapper
    < 2026-05-26 (from 2026-04-06)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References