Cyber Resilience

CVE-2026-6911

Critical

Published: 24 April 2026

Published
24 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0025 16.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6911 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Amazon (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2026-6911 is a critical vulnerability involving missing JWT signature verification in AWS OpsWheel, an open-source application for managing AWS operations. Published on 2026-04-24, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-347 (Improper Verification of Cryptographic Signature). The flaw enables attackers to bypass authentication mechanisms due to the lack of proper signature checks on JSON Web Tokens used by the application.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity by crafting forged JWT tokens and sending them to the API Gateway endpoint. Successful exploitation grants unintended administrative access to the OpsWheel application, allowing attackers to read, modify, and delete all application data across tenants, as well as manage Cognito user accounts within the deployment's User Pool.

AWS security advisories and the associated GitHub security advisory (GHSA-v5vr-8w3c-37x2) and pull request (#164) recommend remediation by redeploying from the updated repository. Users must also ensure that any forked or derivative code incorporates the fixes to address the missing signature verification.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user…

more

accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing JWT signature verification flaw in a public-facing AWS OpsWheel application, allowing unauthenticated remote attackers to craft forged tokens and bypass authentication to the API Gateway endpoint for full admin access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27773Shared CWE-347
CVE-2026-34840Shared CWE-347
CVE-2026-23965Shared CWE-347
CVE-2026-5050Shared CWE-347
CVE-2023-25574Shared CWE-347
CVE-2026-28432Shared CWE-347
CVE-2026-38651Shared CWE-347
CVE-2025-24043Shared CWE-347
CVE-2026-20997Shared CWE-347
CVE-2025-41767Shared CWE-347

Affected Assets

Amazon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires management of authenticators with sufficient strength of mechanism to resist forgery attacks, directly addressing the missing JWT signature verification that enables token forgery.

prevent

SC-13 mandates implementation of cryptographic protections compliant with standards, which encompasses proper signature verification for JWT tokens to ensure authenticity and prevent bypass.

prevent

SI-2 requires timely identification, reporting, and correction of flaws like the missing JWT signature verification through patching and redeployment from updated sources.

References