HIGH 8.0

CVE-2026-11400: AWS Advanced JDBC Wrapper Privilege Escalation in Aurora PostgreSQL

A privilege escalation flaw exists in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL. An authenticated user with low privileges can exploit an untrusted search path to run malicious code that escalates their access level to match any other database user, potentially gaining superuser rights. The attack requires the victim to connect to the cluster through the affected wrapper, making it a realistic threat in environments where multiple database users operate through the same wrapper instance.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-426
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through an affected wrapper. To remediate this issue, users should upgrade to AWS Advanced JDBC Wrapper version 4.0.1.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11400 is a privilege escalation vulnerability in GlobalDatabasePlugin within the AWS Advanced JDBC Wrapper. The root cause is an untrusted search path that allows a low-privilege authenticated actor to inject a crafted function into the database. When a higher-privileged user (including rds_superuser) connects through the wrapper, the injected function executes in that user's context, transferring privileges to the attacker. The vulnerability requires prior authentication and user interaction (connection via the wrapper), but once triggered, grants complete privilege escalation. This is classified as a CWE-426 (Untrusted Search Path) issue.

Business impact

Organizations using AWS Advanced JDBC Wrapper to manage Aurora PostgreSQL clusters face significant data compromise risk. An insider or compromised low-privilege account can escalate to administrator level, enabling unauthorized data exfiltration, modification, or destruction. Multi-tenant environments are particularly vulnerable, as a single compromised user can breach isolation boundaries. Regulatory compliance (SOC 2, PCI DSS, HIPAA) may be impacted if superuser access is gained and audit trails are tampered with. Recovery from such an incident requires forensic investigation and potential credential rotation across all affected users.

Affected systems

The vulnerability affects AWS Advanced JDBC Wrapper versions prior to 4.0.1. It impacts any Aurora PostgreSQL deployment using this wrapper for connection management. The GlobalDatabasePlugin component is the attack vector, meaning environments leveraging global database features are at heightened risk. Systems not using the AWS Advanced JDBC Wrapper, or those already running version 4.0.1 or later, are unaffected.

Exploitability

Exploitability is moderate-to-high despite the authentication requirement. The attacker must have valid database credentials with low privileges, a realistic assumption for many organizations. The user interaction requirement (victim must connect via the wrapper) is not a significant barrier in persistent application environments where connections occur regularly. No special tooling or zero-day techniques are needed; standard SQL function creation capabilities suffice. The attack is detectable only through careful audit logging, and many environments lack granular function-creation monitoring.

Remediation

Immediate patching to AWS Advanced JDBC Wrapper version 4.0.1 is required. Organizations must inventory all deployments using this wrapper across Aurora PostgreSQL clusters and apply the update systematically. Prior to patching, restrict wrapper access to trusted network segments and limit low-privilege user accounts with CREATE FUNCTION permissions. Review audit logs for any suspicious function definitions created by low-privilege users. Consider temporary connection restrictions until patching is complete.

Patch guidance

Upgrade AWS Advanced JDBC Wrapper to version 4.0.1 or later. Verify the patch by checking wrapper version in your application's dependencies and testing connectivity to your Aurora PostgreSQL clusters. Coordinate patching with application teams to ensure zero-downtime deployment strategies (blue-green or rolling updates). Test in pre-production first to confirm compatibility with your specific Aurora PostgreSQL versions and application configuration. After deployment, validate that existing functions continue to execute correctly and that user privileges remain properly segregated.

Detection guidance

Monitor CloudTrail and Aurora PostgreSQL logs for CREATE FUNCTION calls executed by low-privilege users, especially those not aligned with standard deployment or migration activities. Look for functions created in public or search_path-accessible schemas. Audit rds_superuser and other privileged role assumption by non-service accounts. Implement alerts on unusual privilege grants or role switches. Review the wrapper's connection logs for unexpected user context changes. Enable fine-grained auditing in Aurora PostgreSQL (pgaudit extension) to track function creation and execution by user.

Why prioritize this

This vulnerability merits immediate attention due to the combination of high CVSS score (8.0), privilege escalation impact, and the likelihood of successful exploitation in multi-user database environments. Although not yet on the KEV list, the simplicity of the attack and presence of low-privilege attackers in typical organizations make this a credible, near-term threat. Any Aurora PostgreSQL deployment with untrusted users warrants emergency patching.

Risk score, explained

CVSS 8.0 (HIGH) reflects the high confidentiality, integrity, and availability impact of unrestricted superuser access. The score accounts for the low attack complexity (standard SQL), low privilege requirement (authenticated user), and the requirement for user interaction (victim connection). The network-accessible vector raises the baseline. While not CRITICAL, the persistence and blast radius of privilege escalation to superuser level justify the HIGH classification and urgent remediation.

Frequently asked questions

Does this vulnerability require the attacker to have database superuser privileges to begin with?

No. The vulnerability allows a low-privilege authenticated user to escalate to superuser or other high-privilege roles. The attacker only needs valid database credentials and the ability to connect through the affected wrapper.

Can this be exploited if the wrapper is only used for read-only queries?

The exploit requires the ability to create functions in the database, which is a write operation. Read-only wrapper configurations may be less vulnerable, but the attack is possible if any CREATE FUNCTION permission exists for the low-privilege user.

What versions of Aurora PostgreSQL are affected?

The vulnerability affects AWS Advanced JDBC Wrapper when used with Aurora PostgreSQL clusters. Verify your wrapper version; patching to 4.0.1 resolves the issue regardless of Aurora PostgreSQL version.

Is there a workaround if we cannot patch immediately?

Restrict CREATE FUNCTION permissions for low-privilege users in your Aurora roles. Implement network segmentation to limit who can access the wrapper. Review and remove any suspicious functions already created. However, patching remains the definitive remediation.

This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. The information is accurate to the knowledge cutoff and should be cross-referenced with official AWS security advisories and vendor patches before deployment decisions. No liability is assumed for outcomes arising from reliance on this analysis. Organizations must conduct their own risk assessment and validate patch compatibility in their environments. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).