Skip to main content

AWS Ops Wheel CVE-2026-6912

| EUVDEUVD-2026-25577 HIGH
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-04-24 AMZN
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 18:07 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 17:30 vuln.today
CVSS changed
Apr 24, 2026 - 17:22 NVD
8.8 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 17:00 euvd
EUVD-2026-25577
Analysis Generated
Apr 24, 2026 - 17:00 vuln.today
Patch released
Apr 24, 2026 - 17:00 nvd
Patch available
CVE Published
Apr 24, 2026 - 16:11 nvd
HIGH 8.7

DescriptionCVE.org

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute.

To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

AnalysisAI

Authenticated users with low privileges can escalate to deployment admin in AWS Ops Wheel (pre-PR #165) by manipulating the custom:deployment_admin attribute through crafted UpdateUserAttributes API calls to Cognito User Pool. This privilege escalation allows full control over Cognito user account management and deployment administration. Upstream fix available via GitHub PR #165; AWS security bulletin AMZN-2026-018 confirms patch availability. No active exploitation confirmed (not in CISA KEV), but CVSS 8.7 reflects critical impact across confidentiality, integrity, and availability.

Technical ContextAI

This vulnerability stems from CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes), commonly called 'mass assignment' or 'attribute injection'. AWS Ops Wheel integrates with AWS Cognito User Pools, which support custom attributes for user profiles. The application failed to validate or restrict which user attributes could be modified via the UpdateUserAttributes API call. The CVSS:4.0 vector (AV:N/AC:L/PR:L) indicates network-accessible exploitation with low complexity requiring only low-privilege authentication. The vulnerable component is AWS Ops Wheel's Cognito User Pool configuration layer, which should enforce attribute modification policies but instead allowed authenticated users to arbitrarily set security-critical custom attributes like custom:deployment_admin. The CPE cpe:2.3:a:aws:aws_ops_wheel identifies all versions prior to the fix in PR #165.

RemediationAI

Immediately upgrade to AWS Ops Wheel incorporating PR #165 or later from https://github.com/aws/aws-ops-wheel/pull/165. The fix implements attribute validation to prevent unauthorized modification of security-critical custom attributes in Cognito User Pool configurations. Redeployment from the updated repository is required as stated in the advisory - configuration changes alone are insufficient. For forked or customized deployments, manually apply the security patches from PR #165 and conduct code review to ensure attribute modification controls are enforced. As a temporary compensating control if patching is delayed, implement AWS IAM policy restrictions to limit UpdateUserAttributes API permissions to only trusted admin roles, though this may impact legitimate application functionality. Review Cognito User Pool audit logs (CloudTrail) for suspicious UpdateUserAttributes calls targeting custom:deployment_admin or similar privileged attributes; investigate any unauthorized privilege changes and rotate credentials for affected accounts. Official advisory at https://aws.amazon.com/security/security-bulletins/2026-018-aws/ and GitHub security advisory GHSA-qvfh-9cjw-8wwq provide additional guidance.

Share

CVE-2026-6912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy