Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint.
To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
AnalysisAI
Missing JWT signature verification in AWS Ops Wheel enables remote unauthenticated attackers to forge administrative tokens and gain complete control over all application data and Cognito user accounts across all tenants. This critical authentication bypass (CVSS 9.8) has a vendor-released patch available via GitHub PR #164. EPSS data not available, but the combination of zero authentication requirements, network attack vector, and multi-tenant data exposure creates immediate exploitation risk for all deployments.
Technical ContextAI
AWS Ops Wheel is an AWS-native operational tool for managing infrastructure tasks. The vulnerability stems from CWE-347 (Improper Verification of Cryptographic Signature), where the application accepts JWT tokens without validating their cryptographic signatures. JWT (JSON Web Tokens) rely on cryptographic signatures to ensure authenticity - the absence of signature verification allows attackers to craft arbitrary tokens with any claims, including administrative privileges. The flaw affects the API Gateway endpoint authentication layer, which should validate tokens issued by AWS Cognito but instead trusts the token payload without signature checks. This is a textbook example of security control bypass through incomplete cryptographic validation, particularly dangerous in multi-tenant cloud environments where privilege escalation can cross organizational boundaries.
RemediationAI
Immediately redeploy AWS Ops Wheel from the updated GitHub repository incorporating the fixes from pull request #164 at https://github.com/aws/aws-ops-wheel/pull/164. Organizations running forked or derivative implementations must manually apply the JWT signature verification patches from the upstream fix. The remediation requires full redeployment rather than in-place patching, so plan for brief service interruption and test in non-production environments first. Until redeployment is complete, implement network-level access controls to restrict API Gateway endpoint access to trusted IP ranges only - this reduces but does not eliminate risk, as internal threats and compromised credentials can still exploit the flaw. Organizations unable to immediately redeploy should consider temporarily disabling the AWS Ops Wheel deployment until patching is complete, weighing operational impact against the critical security exposure. Review Cognito User Pool access logs for suspicious administrative actions or unexpected user modifications that may indicate prior exploitation. Refer to official AWS security bulletin AWS-2026-018 for additional vendor guidance.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25576