VDB
GCVE-110-CLOUD-2021-0027
GCVE-110-CLOUD-2021-0027
Advisory Published
A vulnerability in AWS Cognito's password reset function allowed attackers to brute-force the six-digit reset code, potentially leading to account takeovers. Using concurrent HTTP requests, an attacker could make up to 1587 guesses instead of the documented limit of 20. The issue affected accounts without multi-factor authentication and was fixed by AWS on April 20, 2021.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| AWS | Cognito | — | — |
| AWS | SES | — | — |
References
Browse GCVE Records
73,734 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.