Security Advisory - Published 2026-06-12 - AWS Aurora PostgreSQL

AWS Aurora PostgreSQL Wrapper CVE-2026-11400 and 11401: privilege check

These CVEs affect applications that connect to Amazon Aurora PostgreSQL through AWS wrapper libraries. A low-privilege database user can become more dangerous when an affected wrapper runs with another user's permissions and the database search path is loose enough to pick up attacker-controlled functions.

Defensive scope: this page covers dependency inventory, database configuration review, patching, and audit checks. It does not include crafted PostgreSQL functions or instructions for privilege escalation testing.

Who is affected

CVEComponentAffected versionFixed version
CVE-2026-11400AWS Advanced JDBC Wrapper3.0.0 through before 4.0.14.0.1 or newer
CVE-2026-11401AWS Advanced Go Wrapper2026-04-06 release2026-05-26 release or newer

Dependency check

mvn dependency:tree | grep -i aws-advanced-jdbc-wrapper
./gradlew dependencies --configuration runtimeClasspath | grep -i aws-advanced-jdbc-wrapper
go list -m all | grep -i aws-advanced-go-wrapper
grep -R "aws-advanced-jdbc-wrapper\\|aws-advanced-go-wrapper" pom.xml build.gradle go.mod go.sum 2>/dev/null

Check production images and serverless bundles, not only the repository. A patched lockfile does not help if the deployed artifact still carries the older wrapper.

Database checks

SHOW search_path;
SELECT nspname FROM pg_namespace WHERE nspname = 'public';
SELECT rolname, rolsuper, rolcreaterole, rolcreatedb FROM pg_roles ORDER BY rolname;

AWS lists removing public from search_path as a workaround. Treat this as a controlled database change: test migrations, extensions, and application functions before applying it globally.

Audit signals

  • Low-privilege users creating or replacing functions in schemas that appear in search_path.
  • Connection spikes through the affected wrapper from application services after June 5, 2026.
  • Unexpected use of rds_superuser-level operations or new database roles.
  • Application errors after removing public from search paths, especially older migrations.

Safe fix path

  1. Upgrade AWS Advanced JDBC Wrapper to 4.0.1 or newer.
  2. Upgrade AWS Advanced Go Wrapper to the 2026-05-26 release or newer.
  3. Remove public from search paths where the application does not require it.
  4. Review database roles, function creation permissions, and application connection users.
  5. Redeploy every service that bundles the affected wrapper and confirm the runtime dependency version.

When to request repair help

Use Ping7 CVE Repair if Aurora PostgreSQL is shared by multiple apps, low-privilege database users can create functions, or you cannot tell which deployed services bundle the affected wrapper. Send the wrapper type, version, Aurora cluster role model, and whether public is in search_path.

References