Security Advisory - Published 2026-06-12 - AWS Aurora PostgreSQL
AWS Aurora PostgreSQL Wrapper CVE-2026-11400 and 11401: privilege check
These CVEs affect applications that connect to Amazon Aurora PostgreSQL through AWS wrapper libraries. A low-privilege database user can become more dangerous when an affected wrapper runs with another user's permissions and the database search path is loose enough to pick up attacker-controlled functions.
Who is affected
| CVE | Component | Affected version | Fixed version |
|---|---|---|---|
| CVE-2026-11400 | AWS Advanced JDBC Wrapper | 3.0.0 through before 4.0.1 | 4.0.1 or newer |
| CVE-2026-11401 | AWS Advanced Go Wrapper | 2026-04-06 release | 2026-05-26 release or newer |
Dependency check
mvn dependency:tree | grep -i aws-advanced-jdbc-wrapper
./gradlew dependencies --configuration runtimeClasspath | grep -i aws-advanced-jdbc-wrapper
go list -m all | grep -i aws-advanced-go-wrapper
grep -R "aws-advanced-jdbc-wrapper\\|aws-advanced-go-wrapper" pom.xml build.gradle go.mod go.sum 2>/dev/null Check production images and serverless bundles, not only the repository. A patched lockfile does not help if the deployed artifact still carries the older wrapper.
Database checks
SHOW search_path;
SELECT nspname FROM pg_namespace WHERE nspname = 'public';
SELECT rolname, rolsuper, rolcreaterole, rolcreatedb FROM pg_roles ORDER BY rolname;
AWS lists removing public from search_path as a workaround.
Treat this as a controlled database change: test migrations, extensions, and application
functions before applying it globally.
Audit signals
- Low-privilege users creating or replacing functions in schemas that appear in
search_path. - Connection spikes through the affected wrapper from application services after June 5, 2026.
- Unexpected use of
rds_superuser-level operations or new database roles. - Application errors after removing
publicfrom search paths, especially older migrations.
Safe fix path
- Upgrade AWS Advanced JDBC Wrapper to 4.0.1 or newer.
- Upgrade AWS Advanced Go Wrapper to the 2026-05-26 release or newer.
- Remove
publicfrom search paths where the application does not require it. - Review database roles, function creation permissions, and application connection users.
- Redeploy every service that bundles the affected wrapper and confirm the runtime dependency version.
When to request repair help
Use Ping7 CVE Repair if Aurora PostgreSQL is shared by
multiple apps, low-privilege database users can create functions, or you cannot tell
which deployed services bundle the affected wrapper. Send the wrapper type, version,
Aurora cluster role model, and whether public is in search_path.