CVE-2026-6550
Received Received - Intake
Cryptographic Downgrade in AWS Encryption SDK Enables Key Bypass

Publication date: 2026-04-20

Last updated on: 2026-04-20

Assigner: AMZN

Description
Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6550
EUVD
EUVD-2026-23943
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
amazon aws_encryption_sdk 3.3.1
amazon aws_encryption_sdk 4.0.5
amazon aws_encryption_sdk From 2.0 (inc) to 2.5.1 (exc)
amazon aws_encryption_sdk From 3.0 (inc) to 3.3.0 (exc)
amazon aws_encryption_sdk From 4.0 (inc) to 4.0.4 (exc)
amazon aws_encryption_sdk to 3.3.1 (exc)
amazon aws_encryption_sdk to 4.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-757 A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6550 is a vulnerability in the AWS Encryption SDK for Python that involves a cryptographic algorithm downgrade in the caching layer. This flaw allows an authenticated local attacker to bypass the key commitment policy enforcement by exploiting a shared key cache. As a result, ciphertexts can be created that decrypt to multiple different plaintexts, undermining the integrity of encrypted data.

The issue occurs when multiple clients with different key commitment policies share a single caching instance, causing encryption materials that do not enforce key commitment to be reused improperly.

To fix this, users should upgrade to versions 3.3.1, 4.0.5 or later, which include validation to ensure encryption materials comply with the key commitment policy.

Impact Analysis

This vulnerability impacts the integrity of encrypted data by allowing ciphertexts to be decrypted into multiple different plaintexts. An authenticated local attacker can exploit this to bypass key commitment policies, potentially causing recipients to decrypt altered or malicious messages.

While confidentiality and availability are not affected, the integrity breach can undermine trust in the encryption process and lead to data manipulation without detection.

The attack requires local access with low privileges and has high attack complexity, but it can be significant in environments where multiple SDK clients share key caches.

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the AWS Encryption SDK for Python to version 3.3.1, 4.0.5, or later.

If you operate multiple instances of the Python ESDK with different key commitment policies, avoid sharing a key cache between them to prevent bypass of the key commitment policy.

Ensure that any forked or derivative code incorporates the patches that fix this vulnerability.

Compliance Impact

This vulnerability undermines data integrity guarantees by allowing ciphertexts to be decrypted into multiple different plaintexts due to a bypass of key commitment policy enforcement.

Such a compromise in data integrity could impact compliance with standards and regulations like GDPR and HIPAA, which require ensuring the integrity and authenticity of sensitive data.

However, the vulnerability does not affect confidentiality or availability, but the ability to alter decrypted data without detection may violate regulatory requirements for data protection and integrity.

To maintain compliance, affected users should upgrade to fixed versions (3.3.1, 4.0.5 or above) and avoid sharing key caches between clients with different key commitment policies.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart