Amazon WorkSpaces Escalation: Local User to SYSTEM via Log Rotation

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-367
Amazon WorkSpaces Escalation: Local User to SYSTEM via Log Rotation

The National Vulnerability Database has disclosed CVE-2026-7791, a high-severity privilege escalation vulnerability in Amazon WorkSpaces for Windows. Specifically, the Skylight Workspace Config Service, in versions prior to 2.6.2034.0, suffers from improper privilege management within its log rotation mechanism. This flaw allows a local, authenticated non-administrator user to bypass file system permissions.

This isn’t just a theoretical issue. An attacker can place arbitrary files into arbitrary locations, which leads directly to local privilege escalation, granting them SYSTEM-level access. The CVSS score of 7.8 (HIGH) reflects the critical impact (C:H, I:H, A:H) and low attack complexity (AC:L) for an attacker who already has local access. The vulnerability is tied to CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition), indicating a window where file system operations can be manipulated.

For defenders, this means any compromised non-admin account on an affected Amazon WorkSpaces instance can be immediately leveraged for full system control. It’s a clear path from user to root. This isn’t about remote exploitation; it’s about solidifying internal defenses and minimizing the blast radius once an initial foothold is gained. Lateral movement and persistence become trivial once SYSTEM is achieved.

What This Means For You

  • If your organization uses Amazon WorkSpaces for Windows, you need to immediately verify that all instances are updated to version 2.6.2034.0 or newer. A local, authenticated attacker can fully compromise your WorkSpaces environment if this patch is missing. Do not delay patching this, as it significantly raises the risk profile for any compromised user account.

Related ATT&CK Techniques

T1548.001 Setuid and Setgid Privilege Escalation T1068 Exploitation for Privilege Escalation Privilege Escalation T1278.002 Windows Management Instrumentation Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1068 Privilege Escalation

CVE-2026-7791 - Local Privilege Escalation via Skylight Workspace Config Service Log Rotation

Sigma YAML — free preview 
title: CVE-2026-7791 - Local Privilege Escalation via Skylight Workspace Config Service Log Rotation
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
  Detects the execution of the Skylight Workspace Config Service, which is vulnerable to privilege escalation via log rotation. A local non-admin user can exploit this to place arbitrary files, leading to SYSTEM privileges. This rule specifically targets the known vulnerable service and its typical parent process.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7791/
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'SkylightWorkspaceConfigService.exe'
      ParentImage|endswith:
          - 'svchost.exe'
      CommandLine|contains:
          - 'logrotate'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7791 Privilege Escalation Amazon WorkSpaces for Windows before 2.6.2034.0
CVE-2026-7791 Privilege Escalation Skylight Workspace Config Service log rotation mechanism
CVE-2026-7791 Privilege Escalation CWE-269: Improper Privilege Management

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 05, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7782 — CodeCanyon Perfex CRM Vulnerability

CVE-2026-7782 — A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component...

vulnerabilityCVEmedium-severitycwe-285cwe-639
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-7781 — Open5GS Denial of Service

CVE-2026-7781 — A security vulnerability has been detected in Open5GS up to 2.7.7. Affected by this issue is the function udm_nudm_uecm_handle_amf_registration_update of the file /src/udm/nudm-handler.c...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-404
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-7780 — Denial of Service

CVE-2026-7780 — A weakness has been identified in Open5GS up to 2.7.7. Affected by this vulnerability is the function udm_state_operational of the file /src/udm/udm-sm.c of...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-404
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 1 Sigma