Vulnerability Description
Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://aws.amazon.com/security/security-bulletins/2026-017-aws/
- https://github.com/aws/aws-encryption-sdk-python/releases/tag/v3.3.1
- https://github.com/aws/aws-encryption-sdk-python/releases/tag/v4.0.5
- https://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-v638-3
FAQ
What is CVE-2026-6550?
CVE-2026-6550 is a vulnerability with a CVSS score of 4.7 (MEDIUM). Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass ...
How severe is CVE-2026-6550?
CVE-2026-6550 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-6550?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.