AWS Ops Wheel fixes JWT signature verification auth bypass

TL;DR — AWS Ops Wheel v2 did not verify JWT signatures, so an unauthenticated attacker could send a crafted JWT to the API Gateway endpoint and obtain unintended administrative access.

What happened

AWS Ops Wheel is an open-source “virtual spinning wheel” app that teams deploy into their own AWS accounts (commonly via CloudFormation) to make random selections. (aws.amazon.com)

AWS disclosed that the v2 API did not enforce cryptographic signature verification on JWTs used for authentication. An unauthenticated actor with network access to the API Gateway endpoint could craft a JWT and gain admin access, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts in the deployment’s User Pool. (aws.amazon.com)

This is a high-leverage failure mode. “Missing signature verification” turns any exposed API into a token-forgery surface, and the blast radius here includes tenant-wide data and identity administration. (aws.amazon.com)

Who is impacted

• AWS Ops Wheel v2 deployments up to and including PR #163 (“PR #163 and earlier” in AWS’s bulletin). (aws.amazon.com)
• The GitHub advisory narrows the vulnerable v2 range to PR #147 through PR #163.
• The v1 API is not affected. (github.com)

Severity: Critical (CVSS v3.1 base score 9.8; CWE-347). (github.com)

What to do now

• Follow vendor remediation guidance and redeploy a fixed version.

  "Users should redeploy from the latest version and ensure any forked or derivative code is patched to incorporate the new fixes." (aws.amazon.com)

• Confirm whether you run AWS Ops Wheel v2 and whether your API Gateway endpoint is reachable from untrusted networks (internet or broad internal segments). (aws.amazon.com)
• If you cannot immediately redeploy, apply the vendor’s workaround to reduce exposure.

  "Customers who cannot immediately redeploy can restrict network access to their API Gateway endpoint using AWS WAF or VPC configurations to limit access." (aws.amazon.com)

• If compromise is suspected, treat this as an admin-level auth failure: review API Gateway access logs for anomalous admin actions and review/rotate credentials tied to the affected deployment’s Cognito User Pool where operationally appropriate. (aws.amazon.com)