VDB
KO
HIGH 8.0

GHSA-mhww-p97m-3368

AWS-JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance

Details

Aurora PostgreSQL is a fully managed relational database engine that's compatible with PostgreSQL.

The team has identified CVE-2026-11400, an issue in Aurora PostgreSQL using the AWS Advanced JDBC Wrapper

Impact An issue in AWS Wrappers for Amazon Aurora PostgreSQL will allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.

Impacted versions: AWS Advanced JDBC Wrapper >= 3.0.0 and < 4.0.1

Patches This issue has been addressed in AWS JDBC Wrapper v4.0.1. It is recommended to upgrade to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds Remove the public schema from the search path.

Resources If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

Acknowledgement

AWS-JDBC Wrapper would like to thank [x.com/ph0smet](http://x.com/ph0smet) for collaborating on this issue through the coordinated vulnerability disclosure process.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / software.amazon.jdbc:aws-advanced-jdbc-wrapper
Introduced in: 3.0.0 Fixed in: 4.0.1
Fix # pom.xml: bump <version>4.0.1</version> for software.amazon.jdbc:aws-advanced-jdbc-wrapper

References