CVE-2026-6550 MEDIUM

CVE-2026-6550: Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python

Vendor Aws

Product AWS Encryption SDK for Python

Weakness CWE-757

Published April 20, 2026

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

4.7/10

Attack vector Local

Attack complexity High

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

Description

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.

Key dates

Disclosure timeline

April 20, 2026 CVE published

April 20, 2026 Record updated

Identifiers

CVE CVE-2026-6550

CWE CWE-757

CVSS 4.7 / MEDIUM

Affected versions

Vendor Aws

Product AWS Encryption SDK for Python

Affected ≥ 2 and ≤ 2.5.1

Vendor Aws

Product AWS Encryption SDK for Python

Affected ≥ 3 and ≤ 3.3.0

Vendor Aws

Product AWS Encryption SDK for Python

Affected ≥ 4 and ≤ 4.0.4