CVE-2026-6550

EUVD-2026-23943
Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version  4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.

To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.
Algorithm Downgrade
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.7 MEDIUM
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://aws.amazon.com/security/security-bulletins/2026-017-aws/
https://github.com/aws/aws-encryption-sdk-python/releases/tag/v3.3.1
https://github.com/aws/aws-encryption-sdk-python/releases/tag/v4.0.5
https://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-v638-38fc-rhfv