CVE-2026-6550

Source
https://cve.org/CVERecord?id=CVE-2026-6550
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6550.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-6550
Aliases
Published
2026-04-20T19:20:23.383Z
Modified
2026-07-15T01:49:18.458491017Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python
Details

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.

To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.

Database specific
{
    "cna_assigner": "AMZN",
    "cwe_ids": [
        "CWE-757"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/6xxx/CVE-2026-6550.json"
}
References

Affected packages

Git / github.com/aws/aws-encryption-sdk-python

Affected ranges

Type
GIT
Repo
https://github.com/aws/aws-encryption-sdk-python
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.1"
        },
        {
            "fixed": "4.0.5"
        }
    ]
}

Affected versions

1.*
1.3.0
1.3.7
1.3.8
1.4.0
1.4.1
2.*
2.1.0
v1.*
v1.7.0
v2.*
v2.0.0
v2.2.0
v2.3.0
v2.4.0
v3.*
v3.0.0
v3.1.0
v3.1.1
v3.2.0
v3.3.0
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-6550.json"