CVE-2026-6550
Cryptographic Downgrade in AWS Encryption SDK Enables Key Bypass
Publication date: 2026-04-20
Last updated on: 2026-04-20
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | aws_encryption_sdk | 3.3.1 |
| amazon | aws_encryption_sdk | 4.0.5 |
| amazon | aws_encryption_sdk | From 2.0 (inc) to 2.5.1 (exc) |
| amazon | aws_encryption_sdk | From 3.0 (inc) to 3.3.0 (exc) |
| amazon | aws_encryption_sdk | From 4.0 (inc) to 4.0.4 (exc) |
| amazon | aws_encryption_sdk | to 3.3.1 (exc) |
| amazon | aws_encryption_sdk | to 4.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-757 | A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6550 is a vulnerability in the AWS Encryption SDK for Python that involves a cryptographic algorithm downgrade in the caching layer. This flaw allows an authenticated local attacker to bypass the key commitment policy enforcement by exploiting a shared key cache. As a result, ciphertexts can be created that decrypt to multiple different plaintexts, undermining the integrity of encrypted data.
The issue occurs when multiple clients with different key commitment policies share a single caching instance, causing encryption materials that do not enforce key commitment to be reused improperly.
To fix this, users should upgrade to versions 3.3.1, 4.0.5 or later, which include validation to ensure encryption materials comply with the key commitment policy.
How can this vulnerability impact me? :
This vulnerability impacts the integrity of encrypted data by allowing ciphertexts to be decrypted into multiple different plaintexts. An authenticated local attacker can exploit this to bypass key commitment policies, potentially causing recipients to decrypt altered or malicious messages.
While confidentiality and availability are not affected, the integrity breach can undermine trust in the encryption process and lead to data manipulation without detection.
The attack requires local access with low privileges and has high attack complexity, but it can be significant in environments where multiple SDK clients share key caches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the AWS Encryption SDK for Python to version 3.3.1, 4.0.5, or later.
If you operate multiple instances of the Python ESDK with different key commitment policies, avoid sharing a key cache between them to prevent bypass of the key commitment policy.
Ensure that any forked or derivative code incorporates the patches that fix this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability undermines data integrity guarantees by allowing ciphertexts to be decrypted into multiple different plaintexts due to a bypass of key commitment policy enforcement.
Such a compromise in data integrity could impact compliance with standards and regulations like GDPR and HIPAA, which require ensuring the integrity and authenticity of sensitive data.
However, the vulnerability does not affect confidentiality or availability, but the ability to alter decrypted data without detection may violate regulatory requirements for data protection and integrity.
To maintain compliance, affected users should upgrade to fixed versions (3.3.1, 4.0.5 or above) and avoid sharing key caches between clients with different key commitment policies.