Key commitment policy bypass via shared key cache in AWS...

4.7 / 10

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.

To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.

Basic Information

ID CVE-2026-6550

Source AMZN

Published Apr 20, 2026 at 19:20

Modified Apr 20, 2026 at 19:44

Affected Product

Vendor AWS

Product AWS Encryption SDK for Python

Version 2

Affected Versions AWS AWS Encryption SDK for Python 2
AWS AWS Encryption SDK for Python 3
AWS AWS Encryption SDK for Python 4

CWE Classification

CWE-757

References

{
    "lastseen": "",
    "description": "Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version  4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.\n\nTo remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.",
    "published": "2026-04-20T19:20:23.383Z",
    "modified": "2026-04-20T19:44:11.685Z",
    "type": "cve",
    "title": "Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python",
    "source": "AMZN",
    "references": "https://aws.amazon.com/security/security-bulletins/2026-017-aws/\nhttps://github.com/aws/aws-encryption-sdk-python/releases/tag/v4.0.5\nhttps://github.com/aws/aws-encryption-sdk-python/releases/tag/v3.3.1\nhttps://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-v638-38fc-rhfv",
    "id": "CVE-2026-6550",
    "bulletinFamily": "",
    "cwe": [
        "CWE-757"
    ],
    "cvelist": null,
    "sourceData": "AWS AWS Encryption SDK for Python 2\nAWS AWS Encryption SDK for Python 3\nAWS AWS Encryption SDK for Python 4",
    "sourceHref": "",
    "cvss": {
        "score": 4.7,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "AWS Encryption SDK for Python",
    "version": "2",
    "vendor": "AWS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python_CVE-2026-6550