Description
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute.

To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
Published: 2026-04-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

AWS Ops Wheel contains a flaw that allows a remote authenticated user to modify Cognito User Pool attributes through a crafted UpdateUserAttributes API call. The application permits the custom:deployment_admin attribute to be set by anyone who already has an authenticated session. When set, this attribute grants deployment‑level administrative privileges and full control over Cognito user accounts. This is a classic example of CWE‑915, where dynamic user data is improperly validated before being applied to system configuration.

Affected Systems

The vulnerability affects installations of AWS Ops Wheel that have not yet integrated the security patch introduced in PR #165. Users running earlier versions of the repository, or any forks or derivative deployments that replicate the original code path, remain exposed. All Cognito User Pools managed by such Ops Wheel instances are at risk.

Risk and Exploitability

The identified flaw has a CVSS score of 8.7, denoting high severity, while the EPSS score is reported as <1%, indicating a very low current likelihood of exploitation. The issue is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated session to the Ops Wheel service and the ability to send a custom UpdateUserAttributes call; therefore the attack vector is remote authenticated. While the high severity suggests that an attacker who succeeds would gain significant administrative control, the low EPSS suggests few or no public exploits exist at present.

Generated by OpenCVE AI on April 28, 2026 at 06:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Redeploy from the updated AWS Ops Wheel repository that includes the security patch from PR #165.
  • Ensure that any forks or derivative code bases are updated with the same changes to the code that controls Cognito custom attribute handling.
  • If immediate redeployment is not possible, restrict or delete the custom:deployment_admin attribute in the Cognito User Pool configuration to prevent unauthenticated modification of administrative privileges.

Generated by OpenCVE AI on April 28, 2026 at 06:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
Title Privilege Escalation via Self-Writable Cognito Custom Attribute in AWS Ops Wheel
First Time appeared Aws
Aws aws Ops Wheel
Weaknesses CWE-915
CPEs cpe:2.3:a:aws:aws_ops_wheel:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws aws Ops Wheel
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

Aws Aws Ops Wheel
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-24T16:48:22.475Z

Reserved: 2026-04-23T13:38:11.080Z

Link: CVE-2026-6912

cve-icon Vulnrichment

Updated: 2026-04-24T16:48:19.563Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-24T17:16:22.377

Modified: 2026-04-24T17:56:41.280

Link: CVE-2026-6912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:45:26Z

Weaknesses