← back
CVE-2026-6550

Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python

CVSS 5.7 MEDIUMEPSS 0.1%CWE-757
Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
AWS · AWS Encryption SDK for Python

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://aws.amazon.com/security/security-bulletins/2026-017-aws/https://github.com/aws/aws-encryption-sdk-python/releases/tag/v3.3.1https://github.com/aws/aws-encryption-sdk-python/releases/tag/v4.0.5https://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-v638-38fc-rhfv