AWS Ops Wheel Cognito User Pool Attribute Escalation via UpdateUserAttributes
CVE-2026-6912 Published on April 24, 2026

Privilege Escalation via Self-Writable Cognito Custom Attribute in AWS Ops Wheel
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-6912 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Mass Assignment Vulnerability?

The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CVE-2026-6912 has been classified to as a Mass Assignment vulnerability or weakness.


Products Associated with CVE-2026-6912

stack.watch emails you whenever new vulnerabilities are published in Aws Ops Wheel or Amazon Aws. Just hit a watch button to start following.

Aws Ops Wheel
 
Amazon Aws
 

Affected Versions

AWS Ops Wheel: