CVE-2026-6550

Summary

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.

To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.

Affected Software

VendorProductVersion RangeStatus
AWSAWS Encryption SDK for Python2 <= 2.5.1affected
AWSAWS Encryption SDK for Python3 <= 3.3.0affected
AWSAWS Encryption SDK for Python4 <= 4.0.4affected

Weaknesses

  • CWE-757: CWE-757 Selection of Less-Secure algorithm during negotiation ('algorithm downgrade')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References