CVE-2026-7191- Arbitrary Code Execution via Sandbox Bypass in QnABot on AWS
criticalvulnerability
security
Source: AWS Security BulletinsApril 27, 2026
Summary
QnABot on AWS (a conversational AI tool built with Amazon Lex and other AWS services) has a vulnerability where administrators can run arbitrary code (unintended commands) by exploiting improper use of the static-eval npm package through the Content Designer interface, potentially giving them access to sensitive backend resources like databases and environment variables that should be protected.
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Amazon
Related Issues
Monthly digest — independent AI security research
Original source: https://aws.amazon.com/security/security-bulletins/rss/2026-020-aws/
First tracked: April 27, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%