CVE-2026-7791 Overview
CVE-2026-7791 is a local privilege escalation vulnerability in the Skylight Workspace Config Service component of Amazon WorkSpaces for Windows. The flaw resides in the service's log rotation mechanism, which performs file operations without proper privilege validation. A local non-administrative authenticated user can abuse this behavior to place arbitrary files into arbitrary filesystem locations, bypassing standard NTFS permission protections. Successful exploitation results in code execution as the SYSTEM account. The issue is tracked under [CWE-367] (Time-of-Check Time-of-Use race condition) and affects Amazon WorkSpaces for Windows clients prior to version 2.6.2034.0.
Critical Impact
A local non-admin user can escalate to SYSTEM-level privileges on any Windows host running a vulnerable Amazon WorkSpaces client.
Affected Products
- Amazon WorkSpaces client for Windows versions prior to 2.6.2034.0
- Skylight Workspace Config Service (component shipped with the WorkSpaces Windows client)
- Windows endpoints with the vulnerable WorkSpaces client installed
Discovery Timeline
- 2026-05-04 - CVE-2026-7791 published to NVD
- 2026-05-05 - Last updated in NVD database
- AWS Security Bulletin 2026-025 - Vendor advisory published by Amazon Web Services
Technical Details for CVE-2026-7791
Vulnerability Analysis
The Skylight Workspace Config Service runs with SYSTEM privileges on Windows hosts where the Amazon WorkSpaces client is installed. As part of routine operation, the service rotates its log files, performing file creation, renaming, or deletion in a directory that is reachable by non-privileged users. The log rotation routine does not adequately validate the trust boundary between the service and the user-controlled portions of the filesystem before performing privileged file operations.
Because the operation runs in the context of SYSTEM, any file write performed by the service inherits those privileges. A standard local user can manipulate filesystem state in the window between the service's privilege check and its file operation, redirecting writes to locations the user could not otherwise modify. This is a classic Time-of-Check Time-of-Use (TOCTOU) condition catalogued as [CWE-367].
Root Cause
The root cause is improper privilege management combined with a TOCTOU race in the log rotation logic. The service evaluates the target path or its metadata at one point in time, then later opens or writes that path under SYSTEM context without re-verifying that the path still resolves to a safe, service-owned location. An attacker can replace a directory entry with a symbolic link, junction, or hard link between those two operations.
Attack Vector
Exploitation requires local access and valid low-privileged credentials on the Windows host. The attacker prepares a filesystem object such as an NTFS junction or object manager symlink that points the service's log rotation target to a sensitive location, for example a directory containing DLLs loaded by privileged services or a startup path. When the Skylight Workspace Config Service performs its next rotation cycle, it writes attacker-controlled content into that location with SYSTEM privileges. The attacker then triggers loading of the planted file to gain code execution as SYSTEM. No network access, user interaction, or administrative privileges are required. See the AWS Security Bulletin 2026-025 for vendor-confirmed details.
Detection Methods for CVE-2026-7791
Indicators of Compromise
- Creation of NTFS junctions, reparse points, or object manager symlinks by non-administrative users in or near the Skylight Workspace Config Service log directory.
- Files written by the SYSTEM account into directories not normally touched by the WorkSpaces client, such as System32, service install paths, or startup folders.
- Unexpected child processes spawned by the Skylight Workspace Config Service shortly after a log rotation event.
- Presence of Amazon WorkSpaces for Windows client versions earlier than 2.6.2034.0.
Detection Strategies
- Audit Windows Security event logs for file creation events (Event ID 4663) where the writing process is the Skylight service and the target path is outside its expected log directory.
- Hunt for reparse point creation events (Sysmon Event ID 11 with reparse attributes, or Event ID 4656 on directory objects) originating from non-privileged user sessions.
- Correlate user-mode symlink creation with subsequent privileged file writes within a short time window to identify TOCTOU exploitation attempts.
Monitoring Recommendations
- Inventory all Windows endpoints running the Amazon WorkSpaces client and flag any version below 2.6.2034.0.
- Monitor integrity of high-value directories such as C:\Windows\System32 and per-service installation paths for unexpected file additions attributed to SYSTEM.
- Alert on creation of junctions or symlinks within directories writable by standard users that target privileged paths.
How to Mitigate CVE-2026-7791
Immediate Actions Required
- Upgrade the Amazon WorkSpaces client for Windows to version 2.6.2034.0 or later on every affected endpoint.
- Restrict interactive and remote logon rights on hosts running the WorkSpaces client to trusted users while patching is in progress.
- Review recent file writes performed by the Skylight Workspace Config Service to confirm no prior exploitation has occurred.
Patch Information
Amazon Web Services has released a fixed build of the Amazon WorkSpaces client for Windows. Versions 2.6.2034.0 and later remediate the improper privilege management in the Skylight Workspace Config Service log rotation routine. Refer to AWS Security Bulletin 2026-025 for download links and full version guidance.
Workarounds
- No vendor-supplied workaround replaces patching; apply the fixed client version as the primary remediation.
- Where immediate patching is not possible, limit local logon on WorkSpaces-enabled hosts to administrative users only, removing the local non-admin attacker prerequisite.
- Enforce application allow-listing to block execution of unsigned binaries from user-writable locations that could be staged for the privileged write.
# Configuration example: query installed WorkSpaces client version on Windows
powershell -Command "Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like 'Amazon WorkSpaces*' } | Select-Object DisplayName, DisplayVersion"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
