AWS-JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
High severity
GitHub Reviewed
Published
Jun 5, 2026
in
aws/aws-advanced-jdbc-wrapper
•
Updated Jul 17, 2026
Package
Affected versions
>= 3.0.0, < 4.0.1
Patched versions
4.0.1
Description
Published by the National Vulnerability Database
Jun 5, 2026
Published to the GitHub Advisory Database
Jul 17, 2026
Reviewed
Jul 17, 2026
Last updated
Jul 17, 2026
Aurora PostgreSQL is a fully managed relational database engine that's compatible with PostgreSQL.
The team has identified CVE-2026-11400, an issue in Aurora PostgreSQL using the AWS Advanced JDBC Wrapper
Impact
An issue in AWS Wrappers for Amazon Aurora PostgreSQL will allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users.
Impacted versions: AWS Advanced JDBC Wrapper >= 3.0.0 and < 4.0.1
Patches
This issue has been addressed in AWS JDBC Wrapper v4.0.1. It is recommended to upgrade to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.
Workarounds
Remove the public schema from the search path.
Resources
If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Acknowledgement
AWS-JDBC Wrapper would like to thank x.com/ph0smet for collaborating on this issue through the coordinated vulnerability disclosure process.
References