CVE-2026-6550 - Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python
Bulletin ID: 2026-017-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/20 12:45 PM PDT Description: AWS Encryption SDK (ESDK) for Python is a client-side encryption library. We identified CVE-2026-6550, which describes an issue with a key commitment policy bypass via shared key cache. Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. Impacted versions: - From 2.0 to 2.5.1 - From 3.0 to 3.3.0 - From 4.0 to 4.0.4 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- A key commitment policy bypass via shared key cache may allow an authenticated local threat actor to bypass key commitment policy enforcement.
- Who is affected
- Authenticated users of AWS Encryption SDK for Python versions in the specified range.
- Urgency
- Remediation is important to prevent unauthorized decryption of ciphertext.
- Action
- Update to a version of AWS Encryption SDK for Python that addresses this issue.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch AWS Encryption SDK for Python
Get an email when a new AWS Encryption SDK for Python advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-017-aws/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-65500.10% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 1% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-6550 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for - Key commitment
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-55213: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bf…nvd · 2026-07-10
- highCVE-2026-22660: FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allow…nvd · 2026-07-10
- highCVE-2026-22659: FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability…nvd · 2026-07-10
- highCVE-2026-38076: An integer overflow in the jbig2_arith_iaid_ctx_new() function of Artifex commit cc37d0 allows…nvd · 2026-07-09
- highCVE-2026-58459: gpsd through release-3.27.5, fixed at commit 4c06658, contains a command injection vulnerabili…nvd · 2026-07-09
- highCVE-2026-51535: In OpENer 2.3.0 (commit 76b95cf), a resource exhaustion (Denial of Service) vulnerability exis…nvd · 2026-07-08
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01