141 matches found
Strapi Versions <=4.5.6 - Authentication Bypass
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that...
CVE-2026-49204
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation...
CVE-2026-6912
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...
CVE-2026-49204
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation...
CVE-2026-49204
Technical details about CVE-2026-49204 are not publicly available in the provided documents; monitor for updates.
CVE-2026-49204 Hard-coded AWS Cognito Testing Accounts
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation...
CVE-2026-49204 Hard-coded AWS Cognito Testing Accounts
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation...
CVE-2026-49204
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation...
EUVD-2026-34216
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation...
PT-2026-46155
Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation...
CVE-2026-6911
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...
CVE-2026-6911
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...
CVE-2026-6912
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...
CVE-2026-6912 Privilege Escalation via Self-Writable Cognito Custom Attribute in AWS Ops Wheel
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...
CVE-2026-6912
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...
EUVD-2026-25577
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...
CVE-2026-6912
The CVE-2026-6912 affects AWS Ops Wheel prior to PR #165, where access to dynamically determined Cognito User Pool attributes can be abused. The root cause is improper control over updates to object attributes, enabling remote authenticated users to escalate to deployment-admin privileges by craf...
CVE-2026-6912 Privilege Escalation via Self-Writable Cognito Custom Attribute in AWS Ops Wheel
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...
CVE-2026-6911
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...
CVE-2026-6911 Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...