Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Even I set up UserPool Password Policy, still changing password returns success with invalid password for ChangePasswordCommand.

Password Policy

this.userPool = new UserPool(this, "UserPool", {
      userPoolName: "localstack-cognito-repro-user-pool",
      selfSignUpEnabled: true,
      ...
      passwordPolicy: {
        minLength: 8,
        requireDigits: false,
        requireLowercase: false,
        requireSymbols: false,
        requireUppercase: false,
      },
});

Change password with short return success event length is shorter than minLength.

Expected Behavior

Should return error.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

With a docker-compose file

Steps To Reproduce

Reproduction repository.
https://github.com/yuki0418/localstack-issue-repro

Requirements

• pnpm
• Docker
• LocalStack Pro

Setup

1. Run LocalStack Pro

$ export LOCALSTACK_AUTH_TOKEN="<your_localstack_pro_auth_token>"
$ docker compose up

Reproduction Steps

1. Install packages

$ pnpm install

2. Bootstrap adn deploy the CDK environment

$ cdklocal bootstrap
$ cdklocal deploy --all --require-approval never

3. Sign up a user

curl -X POST 'https://test.execute-api.localhost.localstack.cloud:4566/user/signup' \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "password": "P@ss1234", "firstName": "Yuki", "lastName": "Ishii"}'

4. Confirm the user
   You can get the confirmation code from the docker logs

curl -X POST 'https://test.execute-api.localhost.localstack.cloud:4566/user/confirm' \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "confirmationCode": "<confirmation_code>"}'

5. Sign in the user to get the access token

curl -X POST 'https://test.execute-api.localhost.localstack.cloud:4566/user/signin' \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "password": "P@ss1234"}'

You will get the access token and IdToken in the response.

6. Change the password

curl -X PUT 'https://test.execute-api.localhost.localstack.cloud:4566/user/password' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <Access Token>" \
-d '{"oldPassword": "P@ss1234", "newPassword": "short"}'

You will get with

HTTP/2 200 
server: TwistedWeb/24.3.0
date: Fri, 08 Aug 2025 00:59:31 GMT
content-type: application/json
content-length: 43
apigw-requestid: 8fe23730
x-localstack: true

{"message":"Password changed successfully"}

But you should get an error because cognito setting.

passwordPolicy: {
  minLength: 8,
  requireDigits: false,
  requireLowercase: false,
  requireSymbols: false,
  requireUppercase: false,
},

Environment

- OS: macOS Sonoma v14.6.1
- LocalStack: localstack/localstack-pro
  LocalStack version:
  LocalStack Docker image sha: sha256:0349b7deb4e2dbcfba3a32c3ae2aa2496ae7b0c1fc5c70851804ad0241bf3d49
  LocalStack build date:
  LocalStack build git hash:

Anything else?

I found similar past issues like
#8356