Improper Attribute Modification in AWS Ops Wheel Affects Cognito User Pools
CVE-2026-6912

8.7HIGH

Key Information:

Vendor

Aws

Status
Aws Ops Wheel
Vendor
CVE Published:
24 April 2026

What is CVE-2026-6912?

AWS Ops Wheel has a significant vulnerability affecting Cognito User Pool configuration that allows remote authenticated users to gain elevated privileges. Specifically, the flaw arises from improperly controlled modifications of dynamically determined object attributes, enabling malicious users to escalate their access to deployment admin status. This could result in unauthorized management of Cognito user accounts through a crafted UpdateUserAttributes API call that injects a custom attribute. To mitigate potential risks, users are advised to promptly redeploy from the updated repository and ensure that any forked or derivative code is patched with the latest fixes.

Affected Version(s)

AWS Ops Wheel 0 < 164

References

https://github.com/aws/aws-ops-wheel/pull/165
patch
https://aws.amazon.com/security/security-bulletins/2026-0...
vendor-advisory
https://github.com/aws/aws-ops-wheel/security/advisories/...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.