Description
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint.

To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
Published: 2026-04-24
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Administrative Access leading to data compromise and user account manipulation
Action: Immediate Patch
AI Analysis

Impact

A missing JWT signature check in AWS Ops Wheel lets attackers forge authentication tokens, allowing them to access the application as an administrator. This grants full read, modify, and delete rights across all tenants and the ability to manage Cognito user accounts, thereby compromising confidentiality, integrity, and availability of the data stored within the deployment.

Affected Systems

The vulnerability affects AWS Ops Wheel deployments. No specific version numbers are listed, so any instance running the vulnerable code—including forks or derivative projects that have not applied the patch—remains at risk.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, and while the EPSS score is below 1%, indicating low current exploitation probability, the vulnerability is not tracked in the CISA KEV catalog. Attackers would need to send a crafted JWT to the API Gateway endpoint, an action that can be performed over the network from any remote host. Once the forged token is accepted, the attacker gains unrestricted administrative capabilities, making this a serious risk in environments where AWS Ops Wheel is exposed to untrusted traffic.

Generated by OpenCVE AI on April 28, 2026 at 06:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest version of AWS Ops Wheel from the official repository, ensuring the new code that verifies JWT signatures is in use
  • For any forked or derivative code, backport the patch that adds signature verification to the JWT validation logic
  • Reconfigure API Gateway to enforce JWT authorizer settings that reject any token lacking a valid signature, thereby preventing unauthenticated access
  • Optionally revoke all existing Cognito tokens and rotate user pool client credentials to invalidate any tokens that could have been forged
  • Review and tighten IAM policies that govern Cognito user account management to limit administrative privileges to only necessary services

Generated by OpenCVE AI on April 28, 2026 at 06:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
Title Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel
First Time appeared Aws
Aws aws Ops Wheel
Weaknesses CWE-347
CPEs cpe:2.3:a:aws:aws_ops_wheel:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws aws Ops Wheel
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Aws Aws Ops Wheel
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-30T15:21:15.482Z

Reserved: 2026-04-23T13:38:10.476Z

Link: CVE-2026-6911

cve-icon Vulnrichment

Updated: 2026-04-24T16:28:24.703Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-24T17:16:22.220

Modified: 2026-04-24T17:56:41.280

Link: CVE-2026-6911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:45:26Z

Weaknesses