CVE-2026-7791
Published: 04 May 2026
Summary
CVE-2026-7791 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Amazon WorkSpaces (inferred from references). Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-7791 is an improper privilege management vulnerability (CWE-367) in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before version 2.6.2034.0. Published on 2026-05-04, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from inadequate handling of privileges during log rotation, enabling attackers to circumvent file system permission protections.
A local non-admin authenticated user can exploit this vulnerability to place arbitrary files in arbitrary locations on the file system. Successful exploitation leads to local privilege escalation to SYSTEM privileges, potentially allowing full control over the affected WorkSpaces instance.
AWS has published security bulletin 2026-025 addressing this vulnerability, available at https://aws.amazon.com/security/security-bulletins/2026-025-aws/. Security practitioners should review the bulletin for detailed mitigation guidance, including patching to Amazon WorkSpaces for Windows version 2.6.2034.0 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27149
Vulnerability details
Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading…
more
to local privilege escalation to SYSTEM.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local authenticated arbitrary file write via log rotation TOCTOU race condition directly enables privilege escalation from low-privileged user to SYSTEM on Windows.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces least privilege for the Skylight Workspace Config Service, preventing arbitrary file placement in unauthorized locations during log rotation by limiting excessive privileges.
Mandates enforcement of access control policies to block bypass of file system permission protections exploited for local privilege escalation.
Requires timely flaw remediation, such as patching to Amazon WorkSpaces version 2.6.2034.0, to address the improper privilege management in the log rotation mechanism.