What is 2026-018-AWS?

2026-018-AWS is a security advisory published by AWS Security Bulletins. Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912

Which CVE IDs does 2026-018-AWS cover?

2026-018-AWS covers the following CVE IDs: CVE-2026-6912, CVE-2026-6911. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

2026-018-AWS

Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912

Vendor

AWS Security Bulletins

Published

April 24, 2026

Last Modified

—

🔗 CVE IDs covered (2)

CVE-2026-6912 →CVE-2026-6911 →

📋 Description

Bulletin ID: 2026-018-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/24 09:15 AM PDT Description: AWS Ops Wheel is an open-source tool that helps teams make random selections using a virtual spinning wheel, deployed into customer AWS accounts via CloudFormation. CVE-2026-6911 relates to an issue where JWT token signature verification was not enforced in the v2 API. CVE-2026-6912 relates to an issue in the v2 Cognito User Pool configuration where attribute write permissions were insufficiently restricted. Impacted versions: AWS Ops Wheel v2 deployments PR-163 and earlier Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

🔗 References (1)

advisoryhttps://aws.amazon.com/security/security-bulletins/rss/2026-018-aws/