CVE-2026-6912
Published: 24 April 2026
Summary
CVE-2026-6912 is a high-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Amazon (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent unauthorized modification of Cognito User Pool attributes like custom:deployment_admin via API calls.
Restricts privileges to the minimum necessary, blocking low-privileged users from escalating to deployment admin via attribute modification.
Manages accounts and associated privileges in Cognito User Pools to prevent improper assignment of admin roles through crafted updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows low-privileged authenticated users to exploit improper attribute controls via UpdateUserAttributes API to escalate privileges by setting a custom admin attribute (T1068). This facilitates adding cloud roles/privileges through attribute modification (T1098.003).
NVD Description
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API…
more
call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
Deeper analysisAI
CVE-2026-6912 is an improper control over modification of dynamically-determined object attributes vulnerability (CWE-915) in the Cognito User Pool configuration of AWS Ops Wheel prior to pull request #165. This flaw enables unauthorized changes to object attributes via the UpdateUserAttributes API call. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-24.
Remote authenticated users with low privileges can exploit the vulnerability over the network with low complexity and no user interaction required. By crafting an UpdateUserAttributes API call to set the custom:deployment_admin attribute, attackers can escalate to deployment admin privileges, allowing them to manage Cognito user accounts.
Advisories recommend redeploying from the updated repository after merging PR #165 and patching any forked or derivative code to incorporate the fixes. Further details are provided in the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-018-aws/, the GitHub pull request at https://github.com/aws/aws-ops-wheel/pull/165, and the GitHub security advisory at https://github.com/aws/aws-ops-wheel/security/advisories/GHSA-qvfh-9cjw-8wwq.
Details
- CWE(s)