GCVE - cpe:2.3:a:aws:aws_ops_wheel:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:aws:aws_ops_wheel:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Aws (`e6707f00-6abb-51df-808c-9e3417305027`)
Product	Aws Ops Wheel (`e1c02ce1-8eb2-57af-81af-2cae3d2253d5`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-6912`	vulnerable	2026-06-03 15:27:55.877633	Privilege Escalation via Self-Writable Cognito Custom Attribute in AWS Ops Wheel HIGH (8.8) Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes. Published: 2026-04-24T16:11:45.833Z Updated: 2026-04-24T16:48:22.475Z Open on db.gcve.eu Reference links https://github.com/aws/aws-ops-wheel/pull/165 https://aws.amazon.com/security/security-bulletins/2026-018-aws/ https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-6911`	vulnerable	2026-06-03 15:27:55.877242	Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel CRITICAL (9.8) Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes. Published: 2026-04-24T16:08:45.808Z Updated: 2026-04-30T15:21:15.482Z Open on db.gcve.eu Reference links https://aws.amazon.com/security/security-bulletins/2026-018-aws/ https://github.com/aws/aws-ops-wheel/pull/164 https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-v5vr-8w3c-37x2	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.