Description
Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.

To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.
Published: 2026-04-20
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: Compromised data confidentiality via key commitment policy bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the caching layer of the AWS Encryption SDK for Python, where a shared key cache can be manipulated by an authenticated local threat actor to downgrade the cryptographic algorithm. This bypasses the SDK’s key commitment policy and allows the same ciphertext to be decrypted to multiple different plaintexts, effectively allowing information to be revealed or altered without the expected integrity guarantees.

Affected Systems

The issue affects AWS Encryption SDK for Python in all releases prior to version 3.3.1 and prior to 4.0.5. Users of these versions exposed to the SDK’s shared key caching mechanism are at risk.

Risk and Exploitability

The CVSS score of 5.7 indicates a medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitability requires local authentication with access to the shared key cache; an attacker can manipulate cached keys to achieve a cryptographic algorithm downgrade, enabling decryption of ciphertext to unintended plaintexts, thereby compromising confidentiality.

Generated by OpenCVE AI on April 20, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AWS Encryption SDK for Python 3.3.1, 4.0.5 or newer.
  • If your application relies on shared key caching, consider disabling the cache or clearing it regularly to prevent reuse of compromised keys.
  • Audit cryptographic code paths to ensure key commitment policies are enforced and do not depend on the caching layer for critical decisions.

Generated by OpenCVE AI on April 20, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.
Title Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python
Weaknesses CWE-757
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-20T19:44:11.685Z

Reserved: 2026-04-17T20:06:20.299Z

Link: CVE-2026-6550

cve-icon Vulnrichment

Updated: 2026-04-20T19:44:07.480Z

cve-icon NVD

Status : Received

Published: 2026-04-20T20:16:49.283

Modified: 2026-04-20T20:16:49.283

Link: CVE-2026-6550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses