CVE-2026-22611 - Vulnerability Details

- AWS SDK for .NET V4 adopted defense in depth enhancement for region parameter value

Description

AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has been patched in version 4.0.3.3.

Published: 2026-01-10

Score: 3.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability permits an actor who controls the execution environment to supply an invalid or non‑AWS region value, causing the SDK to route API requests to a non‑existent or external host. This may lead to unintended network traffic, potential data leakage, or denial of service to the intended AWS services. The flaw is a classic input validation error (CWE‑20).

Affected Systems

The affected products are the AWS SDK for .NET, versions 4.0.0 through 4.0.3.2. The issue was addressed in version 4.0.3.3. Applications that reference the SDK within this vulnerable range and allow region values to be set from untrusted sources are at risk.

Risk and Exploitability

The CVSS score is 3.7, indicating low severity, and the EPSS score is below 1 %, reflecting a very low likelihood of exploitation. Because the flaw requires access to the application’s environment to set the region field, remote exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. The overall risk is modest, but upgrading immediately eliminates the weakness.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aws

aws-sdk-net

affected

Version	Status	Constraints
`>= 4.0.0, < 4.0.3.3`	affected	—

No data.

Vendor	Product	Confidence	Versions
Amazon	Aws Sdk Net	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the AWS SDK for .NET to version 4.0.3.3 or later.
Validate all region parameters against a trusted list of AWS region identifiers, rejecting any non‑valid values.
Review application code that constructs or modifies the region field to enforce strict validation and prevent accidental misuse.

Generated by OpenCVE AI on April 18, 2026 at 07:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-9cvc-h2w8-phrp	AWS SDK for .NET V4 adopted defense in depth enhancement for region parameter value

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00074.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/aws/aws-sdk-net/security/advisories/GHSA-9cvc-h2w8-phrp

History

Mon, 12 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 12 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Amazon Amazon aws Sdk Net
Vendors & Products		Amazon Amazon aws Sdk Net

Sat, 10 Jan 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has been patched in version 4.0.3.3.
Title		AWS SDK for .NET V4 adopted defense in depth enhancement for region parameter value
Weaknesses		CWE-20
References		https://github.com/aws/aws-sdk-net/security/advisories/GHSA-9cvc-h2w8-phrp
Metrics		cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Amazon Aws Sdk Net

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-10T05:37:08.297Z

Updated: 2026-01-12T14:39:57.770Z

Reserved: 2026-01-07T21:50:39.534Z

Link: CVE-2026-22611

Vulnrichment

Updated: 2026-01-12T14:39:55.096Z

NVD

Status : Deferred

Published: 2026-01-10T06:15:51.270

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22611

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses

CWE-20

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object