Missing JWT Signature Verification in AWS Ops Wheel v2 API
CVE-2026-6911 is a critical authentication bypass vulnerability in the v2 API of AWS Ops Wheel. The application accepted JWTs by base64-decoding the token payload without verifying the cryptographic signature against the Amazon Cognito User Pool RSA signing key. The insecure token handling is attributed to the functions decode_jwt_payload_only() and validate_token_basic(), which did not enforce JWT signature validation. As a result, an unauthenticated attacker can craft a forged JWT with arbitrary claims, including administrative roles and tenant identifiers, and submit it to the API Gateway endpoint to obtain unintended administrative access. The issue affects AWS Ops Wheel v2 deployments built from Pull Request 147 through Pull Request 163; AWS Ops Wheel v1 is not affected. The flaw was fixed in Pull Request 164, which added RS256 signature verification to JWT validation.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical authentication bypass vulnerability in AWS Ops Wheel caused by missing JWT signature verification, allowing unauthenticated attackers to forge JWTs and obtain administrative access, including cross-tenant data access and Cognito user management.
An authentication bypass vulnerability in AWS Ops Wheel v2 API caused by missing JWT signature verification, allowing unauthenticated administrative access.
An authentication bypass vulnerability in AWS Ops Wheel v2 API caused by missing JWT signature verification, allowing unauthenticated attackers to forge tokens and gain full administrative access, including cross-tenant data access and Cognito user management.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.