CVE-2026-6912 | THREATINT

Description

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

PUBLISHED Reserved 2026-04-23 | Published 2026-04-24 | Updated 2026-04-24 | Assigner AMZN

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Problem types

CWE-915 Improperly controlled modification of Dynamically-Determined object attributes

Product status

Default status

unaffected

Any version before 164

affected

References

github.com/aws/aws-ops-wheel/pull/165 patch

aws.amazon.com/security/security-bulletins/2026-018-aws/ vendor-advisory

github.com/...-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq third-party-advisory

cve.org (CVE-2026-6912)

nvd.nist.gov (CVE-2026-6912)

Download JSON