CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-6550 - Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python

unknownCVE-2026-6550
Bulletin ID: 2026-017-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/20 12:45 PM PDT Description: AWS Encryption SDK (ESDK) for Python is a client-side encryption library. We identified CVE-2026-6550, which describes an issue with a key commitment policy bypass via shared key cache. Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. Impacted versions: - From 2.0 to 2.5.1 - From 3.0 to 3.3.0 - From 4.0 to 4.0.4 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

vendor: AWSproduct: AWS Encryption SDK for PythonOtheraffected: 2.0 - 2.5.1, 3.0 - 3.3.0, 4.0 - 4.0.4
What
A key commitment policy bypass via shared key cache may allow an authenticated local threat actor to bypass key commitment policy enforcement.
Who is affected
Authenticated users of AWS Encryption SDK for Python versions in the specified range.
Urgency
Remediation is important to prevent unauthorized decryption of ciphertext.
Action
Update to a version of AWS Encryption SDK for Python that addresses this issue.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch AWS Encryption SDK for Python

Get an email when a new AWS Encryption SDK for Python advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-017-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-6550coverage & exploitation statusNVD · CVE.org

Recent advisories for - Key commitment

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from AWS Security Bulletins