CVE-2026-22611
Unknown Unknown - Not Provided
Improper API Call Routing in AWS SDK for .NET

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has been patched in version 4.0.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22611
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
amazon aws_sdk_for_.net to 4.0.3.3 (exc)
amazon aws_sdk_for_.net 4.0.3.3
amazon aws_sdk_for_.net 4.0.139.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade the AWS SDK for .NET to version 4.0.139.0 or later, which includes validation to ensure the region parameter conforms to valid host label formats, preventing invalid region values from being used to construct endpoint URLs. [1]

Executive Summary

This vulnerability in AWS SDK for .NET versions 4.0.0 to before 4.0.3.3 allowed an actor with access to the environment to set the region input field to an invalid value. This could cause customer applications to improperly route AWS API calls to non-existent or non-AWS hosts due to lack of validation on the region parameter when constructing endpoint URLs. The issue was patched in version 4.0.3.3 and later in 4.0.139.0 by adding validation to ensure the region parameter conforms to a valid host label format. [1]

Impact Analysis

The vulnerability could lead to misconfiguration issues where AWS API calls are routed to incorrect or non-existent hosts, potentially causing limited data exposure. However, it poses a low-severity risk with no impact on integrity or availability. It does not violate the shared responsibility model but requires customers to ensure proper configuration. Exploitation requires complex conditions and no privileges or user interaction are needed. [1]

Detection Guidance

Detection involves checking if your environment is using AWS SDK for .NET versions from 4.0.0 up to but not including 4.0.139.0, and verifying if the region input field is set to invalid or non-standard values that could cause routing to non-existent or non-AWS hosts. There are no specific commands provided in the resources to detect this vulnerability on your network or system. [1]

Compliance Impact

The vulnerability poses a low-severity risk related to misconfiguration that could cause AWS API calls to be routed to non-existent or non-AWS hosts. However, it does not violate the shared responsibility model and has a low confidentiality impact with no integrity or availability impact. There is no specific information indicating a direct effect on compliance with common standards and regulations such as GDPR or HIPAA. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22611. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart