AWS Ops Wheel admin escalation (CVE-2026-6912)

Vendor-confirmed - CVE-2026-6912 is a high-severity privilege escalation in AWS Ops Wheel before PR #165 that lets any authenticated user promote themselves to deployment admin and manage all Cognito user accounts. Users should redeploy from the updated repository immediately.

Overview

CVE-2026-6912 affects the AWS Ops Wheel application, a tool used to manage AWS service access and user roles. The vulnerability lies in how the application handles Cognito User Pool configuration. Specifically, it allows for improperly controlled modification of dynamically-determined object attributes through the AWS Cognito UpdateUserAttributes API.

An authenticated user with low privileges can craft a malicious API call that sets the custom:deployment_admin attribute on their own user account. Once this attribute is set, the user gains full deployment admin privileges, granting them the ability to manage all Cognito user accounts, create, modify, and delete users, and potentially alter the deployment configuration itself. The attack vector is over the network, requires low complexity, low privileges, and no user interaction, making it relatively simple to execute.

Impact

The practical impact is a full compromise of the AWS Ops Wheel user management system. An attacker who gains authenticated access to the application can escalate to the highest administrative tier without detection. This could lead to unauthorized access to AWS resources managed by Ops Wheel, data exposure from Cognito user pools, and potential lateral movement into connected AWS services. The vulnerability carries a CVSS score of 8.8 (High), reflecting the significant privileges gained and the ease of exploitation.

Remediation

The fix is included in PR #165 of the AWS Ops Wheel repository. To remediate this vulnerability:

• Redeploy AWS Ops Wheel from the updated repository (commit containing PR #165 or later).
• If you maintain a forked or derivative version of the code, incorporate the specific patches from PR #165 that restrict which Cognito attributes can be modified through the UpdateUserAttributes API.
• After redeployment, audit all existing user accounts for unexpected custom:deployment_admin attributes and remove any unauthorized ones.
• Review access logs for any unusual UpdateUserAttributes API calls that occurred before patching.

Security Insight

This vulnerability highlights a recurring and dangerous pattern in applications that bridge identity management with administrative privilege assignment: treating user-controlled attribute modifications as trusted input. Rather than validating attribute changes server-side against a whitelist of allowable modifications, AWS Ops Wheel relied on client-supplied attribute values to determine administrative state. This is reminiscent of similar vulnerabilities in directory services and identity platforms where a single API call can flip an internal flag to grant superuser access. The takeaway for organizations deploying similar tools is to never derive administrative privileges from mutable user attributes without an independent authorization check against a dedicated configuration store.

Further Reading

• CISA adds 4 exploited flaws, May 2026 deadline set
• CISA adds 8 exploited flaws to KEV catalog, sets deadli
• LangChain, LangGraph Flaws Expose Files, Secrets,
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs