Arbitrary Code Execution Vulnerability in Qnabot-on-AWS by AWS
CVE-2026-7191

8.6HIGH

Key Information:

Vendor: Aws
Status: Qnabot On Aws
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-7191?

The vulnerability arises from the improper usage of the static-eval npm package within Qnabot-on-AWS, versions 7.2.4 and earlier. This flaw permits an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context. An attacker can exploit this vulnerability through crafted conditional chaining expressions via the Content Designer interface, effectively bypassing the intended sandbox protections. Such actions may grant unauthorized access to critical backend resources, including Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables, which are not normally accessible through standard administrative interfaces. It is advised to upgrade to version 7.3.0 or newer to mitigate this risk.

Affected Version(s)

QnABot on AWS 0 <= 7.2.4

References

https://github.com/aws-solutions/qnabot-on-aws/releases/t...

patch

https://aws.amazon.com/security/security-bulletins/2026-0...

vendor-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

Endor Labs

CVE-2026-7191 Data

JSON

Aws

What is CVE-2026-7191?

Affected Version(s)

References

CVSS V4

Timeline

Credit