Description
Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the intended expression sandbox through JavaScript prototype manipulation. This may grant direct access to backend resources (Lambda environment variables, OpenSearch indices, S3 objects, DynamoDB tables) that are not exposed through normal administrative interfaces.

We recommend you upgrade to version 7.3.0 or above.
Published: 2026-04-27
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

An improper use of the static-eval npm package in the open source solution QnABot on AWS creates an unchecked code execution pathway within the fulfillment Lambda function. By injecting a crafted conditional chaining expression through the Content Designer interface, an authenticated administrator can bypass the intended sandbox and run arbitrary JavaScript in the Lambda execution context. This flaw corresponds to code injection (CWE‑94) and allows the attacker to read or manipulate backend resources such as Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables that are otherwise protected by the platform’s normal administrative controls.

Affected Systems

AWS QnABot on AWS, versions 7.2.4 and earlier. All deployments of these versions are potentially vulnerable until they are updated to 7.3.0 or higher.

Risk and Exploitability

The vulnerability has a CVSS score of 8.6, indicating high severity. The EPSS score is not available, so the current likelihood of exploitation is unknown, but the flaw is not listed in the CISA KEV catalog. The attack requires that the attacker has authenticated administrator privileges in the Content Designer interface; once those privileges are available, the exploit is straightforward and can allow full access to sensitive backend resources.

Generated by OpenCVE AI on April 28, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to QnABot on AWS version 7.3.0 or later to remove the vulnerable static‑eval dependency.
  • Restrict or disable access to the Content Designer interface for non‑trusted administrators to limit the ability to inject malicious expressions.
  • Review and tighten IAM permissions on the associated Lambda function and backend resources to ensure that only strictly necessary roles have access, reducing the impact of any potential code execution.

Generated by OpenCVE AI on April 28, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the intended expression sandbox through JavaScript prototype manipulation. This may grant direct access to backend resources (Lambda environment variables, OpenSearch indices, S3 objects, DynamoDB tables) that are not exposed through normal administrative interfaces. We recommend you upgrade to version 7.3.0 or above.
Title Arbitrary Code Execution via Sandbox Bypass in the open source solution QnABot on AWS
First Time appeared Aws
Aws qnabot On Aws
Weaknesses CWE-94
CPEs cpe:2.3:a:aws:qnabot_on_aws:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws qnabot On Aws
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Aws Qnabot On Aws
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-28T14:36:16.718Z

Reserved: 2026-04-27T13:37:55.232Z

Link: CVE-2026-7191

cve-icon Vulnrichment

Updated: 2026-04-28T13:33:30.562Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-27T21:16:44.513

Modified: 2026-04-28T20:11:56.713

Link: CVE-2026-7191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:45:07Z

Weaknesses