CVE-2026-6911 | THREATINT

Description

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

PUBLISHED Reserved 2026-04-23 | Published 2026-04-24 | Updated 2026-04-24 | Assigner AMZN

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-347 Improper verification of cryptographic signature

Product status

Default status

unaffected

Any version before 163

affected

References

aws.amazon.com/security/security-bulletins/2026-018-aws/ vendor-advisory

github.com/aws/aws-ops-wheel/pull/164 patch

github.com/...-wheel/security/advisories/GHSA-v5vr-8w3c-37x2 third-party-advisory

cve.org (CVE-2026-6911)

nvd.nist.gov (CVE-2026-6911)

Download JSON