Cyber Posture

CVE-2026-7791

High

Published: 04 May 2026

Published
04 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7791 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Amazon WorkSpaces (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

Enforces least privilege for the Skylight Workspace Config Service, preventing arbitrary file placement in unauthorized locations during log rotation by limiting excessive privileges.

AC-3 Access Enforcement good match
prevent

Mandates enforcement of access control policies to block bypass of file system permission protections exploited for local privilege escalation.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation, such as patching to Amazon WorkSpaces version 2.6.2034.0, to address the improper privilege management in the log rotation mechanism.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local authenticated arbitrary file write via log rotation TOCTOU race condition directly enables privilege escalation from low-privileged user to SYSTEM on Windows.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading…

more

to local privilege escalation to SYSTEM.

Deeper analysisAI

CVE-2026-7791 is an improper privilege management vulnerability (CWE-367) in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before version 2.6.2034.0. Published on 2026-05-04, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from inadequate handling of privileges during log rotation, enabling attackers to circumvent file system permission protections.

A local non-admin authenticated user can exploit this vulnerability to place arbitrary files in arbitrary locations on the file system. Successful exploitation leads to local privilege escalation to SYSTEM privileges, potentially allowing full control over the affected WorkSpaces instance.

AWS has published security bulletin 2026-025 addressing this vulnerability, available at https://aws.amazon.com/security/security-bulletins/2026-025-aws/. Security practitioners should review the bulletin for detailed mitigation guidance, including patching to Amazon WorkSpaces for Windows version 2.6.2034.0 or later.

Details

CWE(s)
CWE-367

Affected Products

Amazon
WorkSpaces
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-30332Shared CWE-367
CVE-2026-21240Shared CWE-367
CVE-2024-53028Shared CWE-367
CVE-2026-27750Shared CWE-367
CVE-2026-20816Shared CWE-367
CVE-2025-38352Shared CWE-367
CVE-2024-53032Shared CWE-367
CVE-2026-2364Shared CWE-367
CVE-2026-41651Shared CWE-367
CVE-2025-47407Shared CWE-367

References