JWT Vulnerability in AWS Ops Wheel Allows Unauthorized Access
CVE-2026-6911

9.3CRITICAL

Key Information:

Vendor

Aws

Status
Aws Ops Wheel
Vendor
CVE Published:
24 April 2026

What is CVE-2026-6911?

A vulnerability in AWS Ops Wheel enables unauthenticated attackers to bypass JWT signature verification. This flaw allows them to craft malicious JWT tokens, potentially gaining administrative privileges over the application. Attackers can read, modify, and delete application data across multiple tenants and manage Cognito user accounts within the associated User Pool. To protect against this vulnerability, users are advised to redeploy their applications from the updated repository and to apply necessary patches to any forked or derivative code.

Affected Version(s)

AWS Ops Wheel 0 < 163

References

https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/aws/aws-ops-wheel/pull/164
patch
https://github.com/aws/aws-ops-wheel/security/advisories/...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.