AWS Encryption SDK Python - Crypto Downgrade in Cache Pre-3.3.1/4.0.5: CVE-2026-6550 April 2026

Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python
Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.

Vulnerability Analysis

CVE-2026-6550 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:

LOCAL

Attack Complexity:

HIGH

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

HIGH

Availability Impact:

NONE

Weakness Type

What is an Algorithm Downgrade Vulnerability?

A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. When a security mechanism can be forced to downgrade to use a less secure algorithm, this can make it easier for attackers to compromise the software by exploiting weaker algorithm. The victim might not be aware that the less secure algorithm is being used. For example, if an attacker can force a communications channel to use cleartext instead of strongly-encrypted data, then the attacker could read the channel by sniffing, instead of going through extra effort of trying to decrypt the data using brute force techniques.

CVE-2026-6550 has been classified to as an Algorithm Downgrade vulnerability or weakness.

Products Associated with CVE-2026-6550

Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.

AWS Encryption SDK Python - Crypto Downgrade in Cache Pre-3.3.1/4.0.5
CVE-2026-6550 Published on April 20, 2026

Vulnerability Analysis

Weakness Type

What is an Algorithm Downgrade Vulnerability?

Products Associated with CVE-2026-6550

Affected Versions

AWS Encryption SDK Python - Crypto Downgrade in Cache Pre-3.3.1/4.0.5CVE-2026-6550 Published on April 20, 2026

Vulnerability Analysis

Weakness Type

What is an Algorithm Downgrade Vulnerability?

Products Associated with CVE-2026-6550

Affected Versions

AWS Encryption SDK Python - Crypto Downgrade in Cache Pre-3.3.1/4.0.5
CVE-2026-6550 Published on April 20, 2026