CVE-2026-7791

HIGH

Amazon Workspaces < 2.6.2034.0 - Authenticated Local Privilege Escalation via Log Rotation Race Condition

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-7791. PoCs published by BenZamir.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-7791, a local privilege escalation vulnerability in Amazon WorkSpaces. The exploit leverages a TOCTOU (Time-of-Check Time-of-Use) race condition and arbitrary file write to escalate privileges to SYSTEM by manipulating directory junctions and file operations in the Skylight Workspace Config Service.

Description

Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM.

Exploits (1)

github WORKING POC
by BenZamir · cpoc
https://github.com/BenZamir/CVE-2026-7791

This repository contains a functional proof-of-concept exploit for CVE-2026-7791, a local privilege escalation vulnerability in Amazon WorkSpaces. The exploit leverages a TOCTOU (Time-of-Check Time-of-Use) race condition and arbitrary file write to escalate privileges to SYSTEM by manipulating directory junctions and file operations in the Skylight Workspace Config Service.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Amazon WorkSpaces Skylight Workspace Config Service (versions before 2.6.2034.0)
Auth required
Prerequisites: Low-privileged user access on a vulnerable Amazon WorkSpaces system · Skylight Workspace Config Service version before 2.6.2034.0 · Scheduled log rotation event
mistral-large-3 · analyzed May 28, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.8
EPSS 0.0012
EPSS Percentile 2.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-367
Status published
Products (1)
Amazon/Workspaces 2.6.2034.0
Published May 04, 2026
Tracked Since May 05, 2026