Cyber Resilience

CVE-2026-7791

High

Published: 04 May 2026

Published
04 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0012 2.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7791 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Amazon WorkSpaces (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-7791 is an improper privilege management vulnerability (CWE-367) in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before version 2.6.2034.0. Published on 2026-05-04, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from inadequate handling of privileges during log rotation, enabling attackers to circumvent file system permission protections.

A local non-admin authenticated user can exploit this vulnerability to place arbitrary files in arbitrary locations on the file system. Successful exploitation leads to local privilege escalation to SYSTEM privileges, potentially allowing full control over the affected WorkSpaces instance.

AWS has published security bulletin 2026-025 addressing this vulnerability, available at https://aws.amazon.com/security/security-bulletins/2026-025-aws/. Security practitioners should review the bulletin for detailed mitigation guidance, including patching to Amazon WorkSpaces for Windows version 2.6.2034.0 or later.

EU & UK References

Vulnerability details

Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading…

more

to local privilege escalation to SYSTEM.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local authenticated arbitrary file write via log rotation TOCTOU race condition directly enables privilege escalation from low-privileged user to SYSTEM on Windows.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24071Shared CWE-367
CVE-2026-45208Shared CWE-367
CVE-2025-38352Shared CWE-367
CVE-2024-53032Shared CWE-367
CVE-2026-41651Shared CWE-367
CVE-2024-48394Shared CWE-367
CVE-2026-2364Shared CWE-367
CVE-2026-27750Shared CWE-367
CVE-2023-20548Shared CWE-367
CVE-2024-45560Shared CWE-367

Affected Assets

Amazon
WorkSpaces
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege for the Skylight Workspace Config Service, preventing arbitrary file placement in unauthorized locations during log rotation by limiting excessive privileges.

prevent

Mandates enforcement of access control policies to block bypass of file system permission protections exploited for local privilege escalation.

prevent

Requires timely flaw remediation, such as patching to Amazon WorkSpaces version 2.6.2034.0, to address the improper privilege management in the log rotation mechanism.

References