CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-6912

unknowncovered by 1 sourcefirst seen 2026-06-05
Bulletin ID: 2026-018-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/24 09:15 AM PDT Description: AWS Ops Wheel is an open-source tool that helps teams make random selections using a virtual spinning wheel, deployed into customer AWS accounts via CloudFormation. CVE-2026-6911 relates to an issue where JWT token signature verification was not enforced in the v2 API. CVE-2026-6912 relates to an issue in the v2 Cognito User Pool configuration where attribute write permissions were insufficiently restricted. Impacted versions: AWS Ops Wheel v2 deployments PR-163 and earlier Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

vendor: Amazonproduct: AWS Ops WheelAuthentication bypassaffected: v2 deployments PR-163 and earlier
What
JWT token signature verification was not enforced, and attribute write permissions were insufficiently restricted.
Who is affected
Users of AWS Ops Wheel v2 deployments prior to PR-163.
Urgency
Remediation is important due to the potential for unauthorized actions.
Action
Update to a version beyond PR-163.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-6912

Get an email if CVE-2026-6912 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-6912

CVE.org record

Embed the live status

CVE-2026-6912 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-6912 status](https://www.csirts.com/badge/CVE-2026-6912)](https://www.csirts.com/cve/CVE-2026-6912)