VDB

GCVE-110-CLOUD-2021-0027

GCVE-110-CLOUD-2021-0027
Advisory Published
Vulnetix · Advisory published April 30, 2021
A vulnerability in AWS Cognito's password reset function allowed attackers to brute-force the six-digit reset code, potentially leading to account takeovers. Using concurrent HTTP requests, an attacker could make up to 1587 guesses instead of the documented limit of 20. The issue affected accounts without multi-factor authentication and was fixed by AWS on April 20, 2021.

Affected Products

VendorProductVersionsPlatforms
AWSCognito
AWSSES

Browse GCVE Records

73,734 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›