Which versions of AWS Ops Wheel are affected by CVE-2026-6911?

AWS Ops Wheel contains a critical JWT signature verification bypass (CVE-2026-6911, CVSS 9.8) that allows unauthenticated remote attackers to forge administrative tokens and gain complete control…. A patch is available.

AWS Ops Wheel CVE-2026-6911

Q: What is the CVSS score of CVE-2026-6911?

CVE-2026-6911 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-25576 CRITICAL

Improper Verification of Cryptographic Signature (CWE-347)

2026-04-24 AMZN

Information Disclosure Jwt Attack

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 17:22 vuln.today

cvss_changed

CVSS changed

Apr 24, 2026 - 17:22 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

Analysis Generated

Apr 24, 2026 - 17:00 vuln.today

EUVD ID Assigned

Apr 24, 2026 - 16:30 euvd

EUVD-2026-25576

Analysis Generated

Apr 24, 2026 - 16:30 vuln.today

Patch released

Apr 24, 2026 - 16:30 nvd

Patch available

CVE Published

Apr 24, 2026 - 16:08 nvd

CRITICAL 9.3

DescriptionNVD

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint.

To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

AnalysisAI

Missing JWT signature verification in AWS Ops Wheel enables remote unauthenticated attackers to forge administrative tokens and gain complete control over all application data and Cognito user accounts across all tenants. This critical authentication bypass (CVSS 9.8) has a vendor-released patch available via GitHub PR #164. …

RemediationAI

Within 24 hours: Identify all AWS Ops Wheel deployments and their current versions; immediately disable external access or restrict network access to administrative functions pending patch deployment. Within 7 days: Apply vendor-released patch via GitHub PR #164 to all production and non-production instances; validate JWT signature verification is enforced post-deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6911 vulnerability details – vuln.today

Back

AWS Ops Wheel CVE-2026-6911

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

AWS Ops Wheel CVE-2026-6911

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code