CVE-2026-6912

HIGH NVD

CVSS Score 8.8

Severity HIGH

Published Apr 24, 2026

Vendor unknown

Description

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

References

https://aws.amazon.com/security/security-bulletins/2026-018-aws/
https://github.com/aws/aws-ops-wheel/pull/165
https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq