CVE-2026-6912
Privilege Escalation via Self-Writable Cognito Custom Attribute in AWS Ops Wheel
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute.
To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Productos afectados
AWS · AWS Ops Wheel¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →