Bulletin ID: 2026-018-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 04/24/2026 9:15 AM PDT
 

Description:

AWS Ops Wheel is an open-source tool that helps teams make random selections using a virtual spinning wheel, deployed into customer AWS accounts via CloudFormation.

CVE-2026-6911 relates to an issue where JWT token signature verification was not enforced in the v2 API. This could allow an unauthenticated actor with network access to the API Gateway endpoint to craft a token and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool.

CVE-2026-6912 relates to an issue in the v2 Cognito User Pool configuration where attribute write permissions were insufficiently restricted. This could allow an authenticated user to modify their own privilege attributes and gain elevated access within the application, including the ability to manage Cognito user accounts.

Impacted versions: 

• AWS Ops Wheel v2 deployments PR #163 and earlier

Resolution:

CVE-2026-6911 has been addressed in PR #164 and CVE-2026-6912 has been addressed in PR #165. Users should redeploy from the latest version and ensure any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

Customers who cannot immediately redeploy can restrict network access to their API Gateway endpoint using AWS WAF or VPC configurations to limit access.

References:

• CVE-2026-6911
• CVE-2026-6912
• GHSA-v5vr-8w3c-37x2
• GHSA-qvfh-9cjw-8wwq

Please email aws-security@amazon.com with any security questions or concerns.