CVE-2026-6550

April 21, 2026, 4:20 p.m.

5.7
Medium

Description

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.

Product(s) Impacted

Vendor Product Versions
Amazon
  • Aws Encryption Sdk For Python
  • <3.3.1, <4.0.5

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-757
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a amazon aws_encryption_sdk_for_python <3.3.1 / / / / / / /
a amazon aws_encryption_sdk_for_python <4.0.5 / / / / / / /

References

https://aws.amazon.com/security/security-bulletins/2026-017-aws/
https://github.com/aws/aws-encryption-sdk-python/releases/tag/v3.3.1
https://github.com/aws/aws-encryption-sdk-python/releases/tag/v4.0.5
https://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-v638-38fc-rhfv

Tags

CWE-757
ff89ba41-3aa1-4d27-914a-91399e9639e5
2026-04-20
CVE-2026-6550

CVSS Score

5.7 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Attack Requirements: PRESENT
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: April 20, 2026, 8:16 p.m.
Last Modified: April 21, 2026, 4:20 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

ff89ba41-3aa1-4d27-914a-91399e9639e5

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.