Description
Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts.

To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.
Published: 2026-04-20
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Compromised data confidentiality via key commitment policy bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the caching layer of the AWS Encryption SDK for Python, where a shared key cache can be manipulated by an authenticated local threat actor to downgrade the cryptographic algorithm. This bypasses the SDK’s key commitment policy and allows the same ciphertext to be decrypted to multiple different plaintexts, effectively allowing information to be revealed or altered without the expected integrity guarantees.

Affected Systems

The issue affects AWS Encryption SDK for Python in all releases prior to version 3.3.1 and prior to 4.0.5. Users of these versions exposed to the SDK’s shared key caching mechanism are at risk.

Risk and Exploitability

The CVSS score of 5.7 indicates a medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitability requires local authentication with access to the shared key cache; an attacker can manipulate cached keys to achieve a cryptographic algorithm downgrade, enabling decryption of ciphertext to unintended plaintexts, thereby compromising confidentiality.

Generated by OpenCVE AI on April 20, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AWS Encryption SDK for Python 3.3.1, 4.0.5 or newer.
  • If your application relies on shared key caching, consider disabling the cache or clearing it regularly to prevent reuse of compromised keys.
  • Audit cryptographic code paths to ensure key commitment policies are enforced and do not depend on the caching layer for critical decisions.

Generated by OpenCVE AI on April 20, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v638-38fc-rhfv AWS Encryption SDK for Python: Key commitment policy bypass via shared key cache
History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Amazon
Amazon aws Encryption Sdk For Python
Vendors & Products Amazon
Amazon aws Encryption Sdk For Python

Mon, 20 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. To remediate this issue, users should upgrade to version 3.3.1, 4.0.5 or above.
Title Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python
Weaknesses CWE-757
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Amazon Aws Encryption Sdk For Python
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-04-20T19:44:11.685Z

Reserved: 2026-04-17T20:06:20.299Z

Link: CVE-2026-6550

cve-icon Vulnrichment

Updated: 2026-04-20T19:44:07.480Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T20:16:49.283

Modified: 2026-04-21T16:20:24.180

Link: CVE-2026-6550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:21Z

Weaknesses