Skip to main content

AWS Ops Wheel CVE-2026-6911

| EUVDEUVD-2026-25576 CRITICAL
Improper Verification of Cryptographic Signature (CWE-347)
2026-04-24 AMZN
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Apr 24, 2026 - 17:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Apr 24, 2026 - 17:00 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 16:30 euvd
EUVD-2026-25576
Analysis Generated
Apr 24, 2026 - 16:30 vuln.today
Patch released
Apr 24, 2026 - 16:30 nvd
Patch available
CVE Published
Apr 24, 2026 - 16:08 nvd
CRITICAL 9.3

DescriptionCVE.org

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint.

To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

AnalysisAI

Missing JWT signature verification in AWS Ops Wheel enables remote unauthenticated attackers to forge administrative tokens and gain complete control over all application data and Cognito user accounts across all tenants. This critical authentication bypass (CVSS 9.8) has a vendor-released patch available via GitHub PR #164. EPSS data not available, but the combination of zero authentication requirements, network attack vector, and multi-tenant data exposure creates immediate exploitation risk for all deployments.

Technical ContextAI

AWS Ops Wheel is an AWS-native operational tool for managing infrastructure tasks. The vulnerability stems from CWE-347 (Improper Verification of Cryptographic Signature), where the application accepts JWT tokens without validating their cryptographic signatures. JWT (JSON Web Tokens) rely on cryptographic signatures to ensure authenticity - the absence of signature verification allows attackers to craft arbitrary tokens with any claims, including administrative privileges. The flaw affects the API Gateway endpoint authentication layer, which should validate tokens issued by AWS Cognito but instead trusts the token payload without signature checks. This is a textbook example of security control bypass through incomplete cryptographic validation, particularly dangerous in multi-tenant cloud environments where privilege escalation can cross organizational boundaries.

RemediationAI

Immediately redeploy AWS Ops Wheel from the updated GitHub repository incorporating the fixes from pull request #164 at https://github.com/aws/aws-ops-wheel/pull/164. Organizations running forked or derivative implementations must manually apply the JWT signature verification patches from the upstream fix. The remediation requires full redeployment rather than in-place patching, so plan for brief service interruption and test in non-production environments first. Until redeployment is complete, implement network-level access controls to restrict API Gateway endpoint access to trusted IP ranges only - this reduces but does not eliminate risk, as internal threats and compromised credentials can still exploit the flaw. Organizations unable to immediately redeploy should consider temporarily disabling the AWS Ops Wheel deployment until patching is complete, weighing operational impact against the critical security exposure. Review Cognito User Pool access logs for suspicious administrative actions or unexpected user modifications that may indicate prior exploitation. Refer to official AWS security bulletin AWS-2026-018 for additional vendor guidance.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-6911 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy