Introduction
A misconfigured Amazon Cognito User Pool Client in AWS Ops Wheel v2 allows any authenticated user to grant themselves full deployment admin privileges with a single API call. The result is complete administrative control over the application, including the ability to read, modify, and delete all data across tenants and manage every Cognito user account in the deployment.
AWS Ops Wheel is an open source tool that helps teams make random selections using a virtual spinning wheel. It is deployed into customer AWS accounts via CloudFormation and is used by development and operations teams for lightweight decision making. Because the infrastructure lives entirely in customer accounts, AWS cannot push a central fix; each deployment must be individually updated.
Technical Information
Root Cause: Unrestricted Cognito WriteAttributes
CVE-2026-6912 falls under CWE-915: Improperly Controlled Modification of Dynamically Determined Object Attributes. The core issue is that the Cognito UserPoolClient in affected AWS Ops Wheel v2 deployments was configured without WriteAttributes restrictions. This means the Cognito client did not enforce any controls over which custom attributes an authenticated user could modify on their own profile.
Among the custom attributes available in the User Pool were custom:deployment_admin and custom:wheel_group_id. These attributes are used by the application's authorization logic to determine a user's privilege level. Because the UserPoolClient placed no restrictions on client side writes, any authenticated user could freely set these attributes.
Attack Flow
The exploitation path is straightforward:
- An attacker authenticates to the AWS Ops Wheel v2 application through any valid account in the Cognito User Pool.
- The attacker issues a crafted
UpdateUserAttributesAPI call directly against the Cognito service, setting thecustom:deployment_adminattribute on their own user profile. - On subsequent requests, the application's authorization logic reads the now modified attribute and treats the attacker as a deployment admin.
- With admin privileges, the attacker gains the ability to read, modify, and delete all application data across tenants, as well as manage Cognito user accounts within the deployment User Pool.
The CVSS v3.1 score of 8.8 reflects the characteristics of this attack: network based vector, low attack complexity, low privileges required (any authenticated user), no user interaction needed, and high impact across confidentiality, integrity, and availability.
How PR 165 Addresses the Flaw
The fix introduced in PR 165 applies multiple layers of defense:
- WriteAttributes restriction on the Cognito UserPoolClient: The patch explicitly blocks client side writes to
custom:deployment_adminandcustom:wheel_group_id. This prevents authenticated users from modifying these security sensitive attributes through theUpdateUserAttributesAPI. - Server side email verification: As defense in depth, the patch implements server side email verification against
DEPLOYMENT_ADMIN_EMAILSin the authorizer, middleware, and deployment admin operations. Even if the attribute restriction were somehow bypassed, the server side check would reject unauthorized admin requests. - Admin API continuity: Admin API calls made by deploy scripts and Lambda functions bypass the
WriteAttributesrestriction and continue to function normally, ensuring the patch does not break legitimate administrative workflows.
Companion Vulnerability: CVE-2026-6911
It is worth noting that AWS addressed a second vulnerability in the same security bulletin. CVE-2026-6911 involves missing JWT signature verification in the v2 API, which allows unauthenticated administrative access. That issue is resolved in PR 164. The two vulnerabilities together represent a comprehensive failure in the v2 authentication and authorization stack, and both patches must be applied to eliminate all known escalation paths.
| Vulnerability ID | Component | Root Cause | Patch | Impact |
|---|---|---|---|---|
| CVE-2026-6911 | v2 API | Missing JWT signature verification | PR 164 | Unauthenticated administrative access |
| CVE-2026-6912 | Cognito User Pool | Improperly controlled attribute modification | PR 165 | Authenticated privilege escalation |
Affected Systems and Versions
The vulnerability impacts all AWS Ops Wheel v2 deployments from PR 147 through PR 163. The v1 API is explicitly noted as not affected.
Any organization running a forked or derivative version of AWS Ops Wheel v2 within this range should assume they are vulnerable unless they have independently restricted Cognito UserPoolClient WriteAttributes.
Vendor Security History
The simultaneous disclosure of CVE-2026-6911 and CVE-2026-6912 reveals that the v2 rewrite of AWS Ops Wheel introduced fundamental authentication and authorization weaknesses that were not present in v1. CVE-2026-6911 allowed complete authentication bypass through missing JWT signature verification, while CVE-2026-6912 allowed privilege escalation through unrestricted Cognito attribute writes. Together, these represent a significant lapse in the security posture of the v2 API, though AWS's coordinated response and clear remediation guidance demonstrate a structured approach to disclosure and resolution.
