CVE-2026-6912

Name of the Vulnerable Software and Affected Versions AWS Ops Wheel versions prior to PR #165

Description Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration allows remote authenticated users to escalate to deployment admin privileges. This is achieved via a crafted 'UpdateUserAttributes' API call that sets the custom:deployment admin attribute, enabling the management of Cognito user accounts.

Recommendations Redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.