CVE-2026-22611

LOW

AWSSDK.Core 4.0.0-4.0.3.2 - Improper Input Validation in Region Input Field

Title source: llm

Description

AWS SDK for .NET works with Amazon Web Services to help build scalable solutions with Amazon S3, Amazon DynamoDB, Amazon Glacier, and more. From versions 4.0.0 to before 4.0.3.3, Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. This issue has been patched in version 4.0.3.3.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/aws/aws-sdk-net/security/advisories/GHSA-9cvc-h2w8-phrp

Scores

CVSS v3 3.7

EPSS 0.0007

EPSS Percentile 22.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (2)

aws/aws-sdk-net >= 4.0.0, < 4.0.3.3

nuget/AWSSDK.Core 4.0.0 - 4.0.3.3NuGet

Published Jan 10, 2026

Tracked Since Feb 18, 2026