CVE-2026-7791
Published: 04 May 2026
Description
Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading…
more
to local privilege escalation to SYSTEM.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Timestamps meeting UTC or offset standards help identify TOCTOU issues through precise chronological reconstruction of check/use operations.
Security SummaryAI
CVE-2026-7791 is an improper privilege management vulnerability (CWE-367) in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before version 2.6.2034.0. Published on 2026-05-04, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue stems from inadequate handling of privileges during log rotation, enabling attackers to circumvent file system permission protections.
A local non-admin authenticated user can exploit this vulnerability to place arbitrary files in arbitrary locations on the file system. Successful exploitation leads to local privilege escalation to SYSTEM privileges, potentially allowing full control over the affected WorkSpaces instance.
AWS has published security bulletin 2026-025 addressing this vulnerability, available at https://aws.amazon.com/security/security-bulletins/2026-025-aws/. Security practitioners should review the bulletin for detailed mitigation guidance, including patching to Amazon WorkSpaces for Windows version 2.6.2034.0 or later.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local authenticated arbitrary file write via log rotation TOCTOU race condition directly enables privilege escalation from low-privileged user to SYSTEM on Windows.