CVE-2026-6550

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.7 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N                                    

Vulnerability Description

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.

To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.

Vulnerability Details

Published Date

April 20, 2026

Last Modified

April 20, 2026

CWE ID

CWE-757

Source

NVD

External References

https://aws.amazon.com/security/security-bulletins/2026-017-aws/
https://github.com/aws/aws-encryption-sdk-python/releases/tag/v3.3.1
https://github.com/aws/aws-encryption-sdk-python/releases/tag/v4.0.5
https://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-v638-38fc-rhfv

CVE-2026-6550

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment