CVE-2026-6912 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 24, 2026
AWS Ops Wheel - Broken Access Control
Published: April 24, 2026Updated: April 24, 2026Remote Exploitable
Overview
AWS Ops Wheel before PR #165 contains a broken access control vulnerability caused by improper modification of dynamically-determined object attributes in Cognito User Pool configuration, letting remote authenticated users escalate to deployment admin privileges via crafted UpdateUserAttributes API call.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Remote authenticated users can escalate privileges to deployment admin and manage Cognito user accounts, risking full administrative control.
Mitigation
Redeploy from the updated repository and patch any forked or derivative code to incorporate the new fixes.
References
Related Resources
Details
- CVE ID
- CVE-2026-6912
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_access_control
- Status
- unconfirmed
CWE
- CWE-915
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H