CVE-2025-14503 HIGH

CVE-2025-14503: Overly Permissive Trust Policy in Harmonix on AWS EKS

Vendor Aws
Product Harmonix on AWS
Weakness CWE-266
Published December 15, 2025
Last update February 26, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges. We recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1.

Key dates

02Disclosure timeline

December 15, 2025 CVE published
February 26, 2026 Record updated