CVE-2026-6912
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute.
To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| AWS | AWS Ops Wheel | 0 < 164 | affected |
Weaknesses
- CWE-915: CWE-915 Improperly controlled modification of Dynamically-Determined object attributes
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/aws/aws-ops-wheel/pull/165
- https://aws.amazon.com/security/security-bulletins/2026-018-aws/
- https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.