Cyber Posture

CVE-2026-6912

High

Published: 24 April 2026

Published
24 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0017 38.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API…

more

call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to prevent unauthorized modification of Cognito User Pool attributes like custom:deployment_admin via API calls.

AC-6 Least Privilege good match
prevent

Restricts privileges to the minimum necessary, blocking low-privileged users from escalating to deployment admin via attribute modification.

AC-2 Account Management good match
prevent

Manages accounts and associated privileges in Cognito User Pools to prevent improper assignment of admin roles through crafted updates.

Security SummaryAI

CVE-2026-6912 is an improper control over modification of dynamically-determined object attributes vulnerability (CWE-915) in the Cognito User Pool configuration of AWS Ops Wheel prior to pull request #165. This flaw enables unauthorized changes to object attributes via the UpdateUserAttributes API call. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-24.

Remote authenticated users with low privileges can exploit the vulnerability over the network with low complexity and no user interaction required. By crafting an UpdateUserAttributes API call to set the custom:deployment_admin attribute, attackers can escalate to deployment admin privileges, allowing them to manage Cognito user accounts.

Advisories recommend redeploying from the updated repository after merging PR #165 and patching any forked or derivative code to incorporate the fixes. Further details are provided in the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-018-aws/, the GitHub pull request at https://github.com/aws/aws-ops-wheel/pull/165, and the GitHub security advisory at https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq.

Details

CWE(s)
CWE-915

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1098.003 Additional Cloud Roles Persistence
An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant.
attack.mitre.org →
Why these techniques?

The vulnerability allows low-privileged authenticated users to exploit improper attribute controls via UpdateUserAttributes API to escalate privileges by setting a custom admin attribute (T1068). This facilitates adding cloud roles/privileges through attribute modification (T1098.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References