CVE-2026-7191: CWE-94: Improper Control of Generation of Code ('Code Injection') in AWS QnABot on AWS
CVE-2026-7191 is a high-severity code injection vulnerability affecting AWS QnABot on AWS versions 7.2.4 and earlier. It results from unsafe use of the static-eval npm package, allowing an authenticated administrator to execute arbitrary code in the Lambda fulfillment environment via the Content Designer interface. This vulnerability bypasses sandbox restrictions through JavaScript prototype manipulation. Exploitation could lead to unauthorized access to sensitive backend resources such as Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables. AWS manages remediation server-side for this cloud service and recommends upgrading to version 7.3.0 or later. The CVSS score is 7.
AI Analysis
Technical Summary
CVE-2026-7191 is a code injection vulnerability (CWE-94) in AWS QnABot on AWS (versions 7.2.4 and earlier) caused by unsafe use of the static-eval npm package. An authenticated administrator can inject crafted expressions via the Content Designer interface, enabling arbitrary code execution in the Lambda fulfillment environment. This bypasses sandbox restrictions through JavaScript prototype manipulation, potentially exposing sensitive backend resources including Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables. AWS, as the cloud service provider, manages remediation server-side and advises upgrading to version 7.3.0 or later.
Potential Impact
Successful exploitation allows an authenticated administrator to execute arbitrary code within the Lambda fulfillment environment, bypassing sandbox restrictions. This can lead to unauthorized access and potential compromise of sensitive backend resources such as Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables. The vulnerability has a CVSS v3.1 score of 7.2, reflecting high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
AWS manages remediation for this cloud-hosted service server-side. Customers should upgrade AWS QnABot to version 7.3.0 or later as recommended by AWS. Check the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-020-aws/ for the latest guidance and confirmation of patch status.
CVE-2026-7191: CWE-94: Improper Control of Generation of Code ('Code Injection') in AWS QnABot on AWS
Description
CVE-2026-7191 is a high-severity code injection vulnerability affecting AWS QnABot on AWS versions 7.2.4 and earlier. It results from unsafe use of the static-eval npm package, allowing an authenticated administrator to execute arbitrary code in the Lambda fulfillment environment via the Content Designer interface. This vulnerability bypasses sandbox restrictions through JavaScript prototype manipulation. Exploitation could lead to unauthorized access to sensitive backend resources such as Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables. AWS manages remediation server-side for this cloud service and recommends upgrading to version 7.3.0 or later. The CVSS score is 7.
CVSS v3.1
Score 7.2high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-7191 is a code injection vulnerability (CWE-94) in AWS QnABot on AWS (versions 7.2.4 and earlier) caused by unsafe use of the static-eval npm package. An authenticated administrator can inject crafted expressions via the Content Designer interface, enabling arbitrary code execution in the Lambda fulfillment environment. This bypasses sandbox restrictions through JavaScript prototype manipulation, potentially exposing sensitive backend resources including Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables. AWS, as the cloud service provider, manages remediation server-side and advises upgrading to version 7.3.0 or later.
Potential Impact
Successful exploitation allows an authenticated administrator to execute arbitrary code within the Lambda fulfillment environment, bypassing sandbox restrictions. This can lead to unauthorized access and potential compromise of sensitive backend resources such as Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables. The vulnerability has a CVSS v3.1 score of 7.2, reflecting high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
AWS manages remediation for this cloud-hosted service server-side. Customers should upgrade AWS QnABot to version 7.3.0 or later as recommended by AWS. Check the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-020-aws/ for the latest guidance and confirmation of patch status.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- AMZN
- Date Reserved
- 2026-04-27T13:37:55.232Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
- Vendor Advisory Urls
- [{"url":"https://aws.amazon.com/security/security-bulletins/2026-020-aws/","vendor":"AWS"}]
Threat ID: 69efc789ba26a39fba6016ea
Added to database: 4/27/2026, 8:31:05 PM
Last enriched: 6/5/2026, 7:28:13 PM
Last updated: 6/12/2026, 4:06:51 AM
Views: 104
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.