CVE-2026-7791

Description

Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Amazon WorkSpaces for Windows < 2.6.2034.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Concept for CVE-2026-7791
# This script simulates the logic of exploiting improper privilege management
# in the log rotation mechanism to achieve arbitrary file write.

import os
import sys
import time

def trigger_exploit():
    # Configuration
    target_service = "Skylight Workspace Config Service"
    payload_path = "C:\\temp\\evil.dll"
    destination_path = "C:\\Windows\\System32\\evil.dll"

    print(f"[*] Targeting: {target_service}")
    print(f"[*] Preparing payload at: {payload_path}")

    # Step 1: Create the malicious payload
    # In a real scenario, this would be a compiled DLL or EXE
    with open(payload_path, 'wb') as f:
        f.write(b'MZ') # Dummy PE header

    # Step 2: Wait for or trigger the log rotation event
    # The vulnerability allows placing the file in an arbitrary location
    # due to weak permissions on the log rotation mechanism.
    print("[*] Waiting for log rotation trigger...")
    
    # Simulation of the exploit logic
    # Exploit: Manipulate file handle or directory junction to redirect write
    try:
        # Hypothetical symlink creation or file copy simulation
        if os.path.exists(payload_path):
            print(f"[+] Arbitrarily moving file to {destination_path}")
            # os.rename(payload_path, destination_path) # Privileged operation simulation
            print("[+] Exploit successful: Privilege Escalation to SYSTEM achieved.")
        else:
            print("[-] Payload creation failed.")
    except Exception as e:
        print(f"[-] Exploit failed: {e}")

if __name__ == "__main__":
    trigger_exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7791
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7791
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7791/
[4] VulDB https://vuldb.com/cve/CVE-2026-7791
[5] https://aws.amazon.com/security/security-bulletins/2026-025-aws/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7791", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2026-05-04T22:16:20.697", "lastModified": "2026-05-05T19:32:23.613", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-367"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-025-aws/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}]}}