CVE-2026-7191: qnabot-on-aws Admin RCE via Prototype Manipulation

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-94
CVE-2026-7191: qnabot-on-aws Admin RCE via Prototype Manipulation

The National Vulnerability Database has detailed CVE-2026-7191, a high-severity vulnerability (CVSS 7.2) impacting qnabot-on-aws versions 7.2.4 and earlier. This flaw stems from improper use of the static-eval npm package, enabling authenticated administrators to achieve arbitrary code execution within the fulfillment Lambda environment. The attack leverages JavaScript prototype manipulation to bypass the intended expression sandbox.

Attackers can inject crafted conditional chaining expressions via the Content Designer interface. This bypass grants direct access to backend resources such as Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables, which are typically inaccessible through standard administrative interfaces. This is a critical privilege escalation for an already authenticated user.

Organizations running qnabot-on-aws should prioritize upgrading to version 7.3.0 or above immediately. The vulnerability, categorized as CWE-94 (Improper Control of Generation of Code (‘Code Injection’)), represents a significant risk to data confidentiality, integrity, and availability within the AWS environment.

What This Means For You

  • If your organization uses qnabot-on-aws, specifically versions 7.2.4 or earlier, you are exposed to authenticated remote code execution. This isn't just a theoretical vulnerability; it provides a direct pathway for an attacker with admin credentials to pivot into your AWS backend infrastructure. Patch to version 7.3.0 or higher without delay and audit your qnabot-on-aws admin logs for any suspicious activity or unexpected modifications to content designer expressions.

Related ATT&CK Techniques

T1059.001 PowerShell Execution T1574.002 DLL Side-Loading Defense Evasion T1071.001 Web Protocol Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1574.002 Execution

CVE-2026-7191: qnabot-on-aws Content Designer RCE via Prototype Manipulation

Sigma YAML — free preview 
title: CVE-2026-7191: qnabot-on-aws Content Designer RCE via Prototype Manipulation
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7191 by targeting the qnabot-on-aws Content Designer interface. The vulnerability allows an authenticated administrator to execute arbitrary code via prototype manipulation in the 'eval' functionality. This rule looks for POST requests to the content designer endpoint with 'eval' in the query string and common JavaScript prototype manipulation patterns indicative of an exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7191/
tags:
  - attack.execution
  - attack.t1574.002
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/content/designer'
      cs-method|exact: 'POST'
      cs-uri-query|contains:
          - 'eval'
      # The exact payload will vary, but look for common JS prototype manipulation patterns
      # This is a simplified example and may require tuning based on observed traffic
      # The key is the combination of the path, method, and a suspicious query parameter with JS eval syntax.
  selection_indicators:
      cs-uri-query|contains:
          - 'constructor.constructor("return this")'
          - '__proto__'
          - 'prototype.constructor'
      condition: selection AND selection_indicators
  
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7191 RCE qnabot-on-aws versions 7.2.4 and earlier
CVE-2026-7191 RCE Improper use of static-eval npm package
CVE-2026-7191 RCE Content Designer interface via crafted conditional chaining expression
CVE-2026-7191 RCE JavaScript prototype manipulation bypasses expression sandbox

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7178: ChatGPTNextWeb NextChat SSRF Vulnerability

CVE-2026-7178 — A weakness has been identified in ChatGPTNextWeb NextChat up to 2.16.1. This affects the function storeUrl of the file app/api/artifacts/route.ts of the component...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 5 IOCs /⚙ 3 Sigma

ChatGPTNextWeb NextChat SSRF Vulnerability (CVE-2026-7177) Exposed

CVE-2026-7177 — A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 2 IOCs /⚙ 3 Sigma

Tenda HG3 Router Command Injection (CVE-2026-7160) Exposes Networks

CVE-2026-7160 — A vulnerability was determined in Tenda HG3 2.0. This vulnerability affects the function formTracert of the file /boaform/formTracert. Executing a manipulation of the...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 5 Sigma