CVE-2026-6911 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 24, 2026
AWS Ops Wheel - Authentication Bypass
Published: April 24, 2026Updated: April 24, 2026Remote Exploitable
Overview
AWS Ops Wheel contains a broken authentication caused by missing JWT signature verification, letting unauthenticated attackers forge JWT tokens to gain administrative access, exploit requires sending crafted JWT to API Gateway endpoint.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Unauthenticated attackers can gain full administrative access, including reading, modifying, deleting data, and managing user accounts.
Mitigation
Redeploy from the updated repository and patch any forked or derivative code to incorporate the fixes.
References
Related Resources
Details
- CVE ID
- CVE-2026-6911
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_authentication
- Status
- unconfirmed
CWE
- CWE-347
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H