CVE-2026-6911

216.73.217.22

· Published 24/04/2026 17:16 · Modified 24/04/2026 17:56

Labels: CVE-2026-6911 2026-04-24 CVE-2026-6911 CWE-347 ff89ba41-3aa1-4d27-914a-91399e9639e5

Essential information

Published: 24/04/2026 17:16
Modified: 24/04/2026 17:56
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

NVD status

Status: Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5
NVD: View on NVD

Affected products (CPE)

Product	CPE
aws / ops wheel	`cpe:2.3:a:aws:ops_wheel::::::::`