CVE-2026-6912HIGH 8.8EPSS p33.4%

CVE-2026-6912CVE-2026-6912

Description

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.42% probability of exploitation · percentile 33.4% · 2026-06-19T12:03:05Z
Published2026-04-24
Last modified2026-04-24

Underlying weaknesses· 1

CWE-915

References

  1. https://aws.amazon.com/security/security-bulletins/2026-018-aws/
  2. https://github.com/aws/aws-ops-wheel/pull/165
  3. https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq

1

TypeTargetConfidenceTier
WeaknessImproperly Controlled Modification of Dynamically-Determined Object Attributescwe-9150%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-6911
CVE
CVE-2026-49204
CVE
CVE-2026-10843
CVE
CVE-2025-45472
CVE
CVE-2026-5652
CVE
CVE-2026-9088
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.