CVE-2026-11401

描述

Aurora PostgreSQL is a fully managed relational database engine that's compatible with PostgreSQL. An issue in Aurora PostgreSQL using the AWS Go Wrapper waa identified, see CVE-2026-11401. Impact An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. Impacted versions: AWS Go Wrapper 2026-04-06 Patches This issue has been addressed in AWS Go Wrapper 2026-05-26. Maintainers recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. Workarounds Remove the public schema from the search path. References If there are any questions or comments about this advisory, contact [AWS/Amazon] Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue.

如何修補 CVE-2026-11401

要修補 CVE-2026-11401,請將受影響套件升級到下列已修補版本。

• —升級至 1.1.1 或更新版本
• —升級至 1.1.2 或更新版本
• —升級至 2.0.1 或更新版本
• —升級至 1.0.4 或更新版本
• —升級至 1.1.1 或更新版本
• —升級至 1.1.1 或更新版本
• —升級至 1.1.1 或更新版本
• —升級至 1.1.1 或更新版本
• —升級至 1.0.7 或更新版本
• —升級至 1.1.1 或更新版本
• —升級至 1.07 或更新版本

CVE-2026-11401 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-11401 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(11)

• from 0, < 1.1.1
• from 0, < 1.1.2
• from 0, < 2.0.1
• from 0, < 1.0.4
• from 0, < 1.1.1
• from 0, < 1.1.1
• from 0, < 1.1.1
• from 0, < 1.1.1
• from 0, < 1.0.7

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-11401
• PATCHgithub.com/aws/aws-advanced-go-wrapper
• WEBaws.amazon.com/security/security-bulletins/2026-039-aws
• WEBgithub.com/aws/aws-advanced-go-wrapper/releases/tag/release-2026-05-26