CVE-2026-6911
Published: 24 April 2026
Summary
CVE-2026-6911 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Amazon (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-13 (Cryptographic Protection).
Deeper analysis
CVE-2026-6911 is a critical vulnerability involving missing JWT signature verification in AWS OpsWheel, an open-source application for managing AWS operations. Published on 2026-04-24, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-347 (Improper Verification of Cryptographic Signature). The flaw enables attackers to bypass authentication mechanisms due to the lack of proper signature checks on JSON Web Tokens used by the application.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity by crafting forged JWT tokens and sending them to the API Gateway endpoint. Successful exploitation grants unintended administrative access to the OpsWheel application, allowing attackers to read, modify, and delete all application data across tenants, as well as manage Cognito user accounts within the deployment's User Pool.
AWS security advisories and the associated GitHub security advisory (GHSA-v5vr-8w3c-37x2) and pull request (#164) recommend remediation by redeploying from the updated repository. Users must also ensure that any forked or derivative code incorporates the fixes to address the missing signature verification.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25576
Vulnerability details
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user…
more
accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing JWT signature verification flaw in a public-facing AWS OpsWheel application, allowing unauthenticated remote attackers to craft forged tokens and bypass authentication to the API Gateway endpoint for full admin access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires management of authenticators with sufficient strength of mechanism to resist forgery attacks, directly addressing the missing JWT signature verification that enables token forgery.
SC-13 mandates implementation of cryptographic protections compliant with standards, which encompasses proper signature verification for JWT tokens to ensure authenticity and prevent bypass.
SI-2 requires timely identification, reporting, and correction of flaws like the missing JWT signature verification through patching and redeployment from updated sources.