Description
Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM.
Published: 2026-05-04
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Amazon WorkSpaces for Windows contains a flaw in the Skylight Workspace Config Service log rotation mechanism. The service does not correctly enforce privilege boundaries, allowing a logged‑in non‑administrator user to write files to any location. This bypasses file system permission checks and gives the local user SYSTEM level access. The weakness is a classic example of improper privilege management, identified as CWE‑367.

Affected Systems

The vulnerability applies to all Amazon WorkSpaces for Windows instances whose Skylight Workspace Config Service version is earlier than 2.6.2034.0. No other versions or operating systems are affected according to the CNA information.

Risk and Exploitability

With a CVSS score of 8.5 the flaw is considered high risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation data. The attack vector is local: an authenticated non‑admin user must already have access to the workstation and sufficient rights to invoke the log rotation service. Once the arbitrary file write is performed, the user can place an elevated‑privilege program or script and execute it to gain SYSTEM rights.

Generated by OpenCVE AI on May 4, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Amazon WorkSpaces to version 2.6.2034.0 or later to obtain the vendor’s fix for the log rotation privilege flaw.
  • Restrict ordinary local users by removing the ability to write to protected directories or disabling write permissions on the Skylight Workspace Config Service log files. This limits the ability to place malicious payloads.
  • If a patch cannot be applied immediately, disable or temporarily suspend the Skylight Workspace Config Service log rotation feature to prevent the privilege escalation path.

Generated by OpenCVE AI on May 4, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 00:00:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Log Rotation in Amazon WorkSpaces

Mon, 04 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon workspaces
Vendors & Products Amazon
Amazon workspaces

Mon, 04 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM.
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Workspaces
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-05-04T22:07:35.680Z

Reserved: 2026-05-04T18:48:58.397Z

Link: CVE-2026-7791

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T22:16:20.697

Modified: 2026-05-04T22:16:20.697

Link: CVE-2026-7791

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T00:00:10Z

Weaknesses