CVE-2026-14265
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
A deserialization vulnerability in the RemoteQueryCachePlugin of AWS Advanced JDBC Wrapper versions 3.3.0 through 4.0.0 allows arbitrary code execution on application servers via untrusted data from Redis or Valkey cache. An attacker with write access to the shared cache can inject a crafted Java object that triggers gadget chains upon deserialization.
Risk Assessment
The risk involves potential remote code execution on application servers, which could lead to system compromise, data theft, or service disruption.
Recommendation
Upgrade AWS Advanced JDBC Wrapper to version 4.0.1 or later immediately to remediate the vulnerability.
Original NVD description (English source)
Deserialization of untrusted data in the RemoteQueryCachePlugin in Amazon Web Services AWS Advanced JDBC Wrapper 3.3.0 through 4.0.0 might allow an actor with write access to the shared cache infrastructure to execute arbitrary code on application servers that read cached query results via a crafted serialized Java object. The RemoteQueryCachePlugin uses ObjectInputStream without class filtering when deserializing cached query results from Redis or Valkey, enabling gadget chain execution when cache entries are poisoned. We recommend upgrading to AWS Advanced JDBC Wrapper version 4.0.1 or later.

