CVE-2026-11401: Aurora PostgreSQL Privilege Escalation via Untrusted Search Path in AWS Advanced Go Wrapper
A privilege escalation flaw exists in the AWS Advanced Go Wrapper used to connect to Amazon Aurora PostgreSQL databases. A low-privileged, authenticated database user can craft a malicious function that executes when another user connects through the wrapper, allowing them to assume that user's privileges—potentially including rds_superuser access. This requires the attacker to have database credentials and user interaction (such as a targeted user initiating a connection), but once triggered, it grants near-complete database control to an unauthorized actor.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-426
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper. To remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11401 is a privilege escalation vulnerability stemming from an untrusted search path issue in the GlobalDatabasePlugin component of the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL. The vulnerability allows a remote authenticated actor with low-privilege database access to create a specially crafted function that executes within the security context of a higher-privileged user upon connection. By exploiting PostgreSQL's function resolution and execution semantics via the wrapper, an attacker can hijack the connection process and execute arbitrary code with the privileges of the connecting user. The attack requires user interaction in the form of a target user establishing a connection through the affected wrapper instance.
Business impact
This vulnerability poses a critical risk to organizations running Aurora PostgreSQL workloads with the affected AWS Advanced Go Wrapper. An attacker with low-level database credentials could gain rds_superuser or other privileged access, leading to unauthorized data access, modification, or deletion; database service disruption; and potential lateral movement within the AWS environment. For multi-tenant or shared database deployments, a single compromised low-privilege account becomes a pivot point for full cluster compromise. Organizations dependent on database-level access controls for security isolation are particularly exposed.
Affected systems
AWS Advanced Go Wrapper versions prior to 2026-05-26 used with Amazon Aurora PostgreSQL clusters are affected. The vulnerability impacts deployments where the wrapper mediates database connections and where multiple database users with varying privilege levels share the same cluster or instance.
Exploitability
Exploitability is moderate to high. The attack requires an authenticated database user account (low-privilege), which is a common prerequisite in many production environments. However, it also requires user interaction—a higher-privileged user must initiate a connection through the wrapper after the malicious function is planted. This interaction requirement slightly raises the bar for opportunistic exploitation but does not significantly impede targeted attacks within an organization. No public exploit code or active in-the-wild exploitation has been reported as of the publication date.
Remediation
Upgrade the AWS Advanced Go Wrapper to release 2026-05-26 or later. Organizations should verify compatibility and test the upgrade in a non-production environment before deploying to production clusters. Additionally, implement least-privilege access controls to minimize the number of authenticated users with function creation privileges, and monitor database audit logs for suspicious function definitions or execution patterns.
Patch guidance
AWS has released AWS Advanced Go Wrapper version 2026-05-26 to address this vulnerability. Organizations should obtain this version from the official AWS repository or distribution channel, review release notes for any breaking changes or migration guidance, and schedule upgrades during a maintenance window. For high-availability deployments, update wrapper instances in a rolling fashion to minimize downtime. Verify the upgrade by confirming the wrapper version post-deployment and running functional regression tests on your application workloads.
Detection guidance
Monitor Aurora PostgreSQL audit logs and database activity for: (1) function creation by low-privilege users, especially functions with names or code patterns that reference search paths or trigger on connection events; (2) unexpected privilege elevation events or role assumption; (3) execution of functions by users other than their creator or defined owners; (4) unusual connection patterns or wrapper restart events. Configure CloudTrail to capture AWS API calls related to RDS cluster modifications. Use Amazon RDS Enhanced Monitoring to track database performance anomalies that might indicate malicious activity.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.0), the broad attack surface it creates in Aurora PostgreSQL environments, and the significant business impact of privilege escalation to rds_superuser. Although it requires authentication and user interaction, both are commonly present in organizational environments. The ease of establishing a foothold (via function creation) and the potential for lateral movement make this a priority for patch management queues.
Risk score, explained
The CVSS 3.1 score of 8.0 (HIGH) reflects: (1) network-based attack vector; (2) low attack complexity—privilege escalation is straightforward once a function is created; (3) requirement for low-level privileges and user interaction, which lower but do not eliminate risk; (4) high impact across confidentiality, integrity, and availability due to the ability to escalate to rds_superuser and execute arbitrary database commands. The score appropriately captures the severity of unchecked privilege escalation in a database context.
Frequently asked questions
Do I need an AWS account to be vulnerable to this?
No. You need an active Aurora PostgreSQL cluster with the affected AWS Advanced Go Wrapper version and at least one authenticated database user account. However, AWS credentials are required to provision and manage the cluster itself. A user within your organization or a contractor with database credentials could exploit this to escalate to higher-privileged roles.
What if we don't use the AWS Advanced Go Wrapper?
If your applications connect directly to Aurora PostgreSQL without using the Advanced Go Wrapper, you are not affected by this specific vulnerability. However, verify your connection method in your application architecture and deployment documentation. Some teams use the wrapper transparently for connection pooling or monitoring, so confirming absence is important.
Can we mitigate this without upgrading immediately?
Partial mitigation is possible: restrict database user creation and function creation privileges to only trusted application service accounts; implement database-level audit logging and alerts for suspicious function definitions; limit network access to the database cluster using security groups; and restrict which users can initiate connections. However, these mitigations are not a substitute for patching. Upgrade as soon as testing confirms compatibility with your workloads.
Does this affect Aurora MySQL or only PostgreSQL?
This vulnerability is specific to Aurora PostgreSQL and the AWS Advanced Go Wrapper's GlobalDatabasePlugin. Aurora MySQL deployments are not affected. However, always verify against your specific wrapper configuration and version.
This analysis is provided for informational and defensive security purposes. No exploit code or weaponized proof-of-concept instructions are included. Organizations should verify all patch versions and guidance against official AWS advisories and release notes. Testing in non-production environments before production deployment is strongly recommended. SEC.co does not warrant the completeness or accuracy of third-party vendor information; always consult authoritative sources for your specific configuration. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability