CVE-2026-22611

Vulnerability

Overview

CVE-2026-22611 affects the AWS SDK for .NET versions 4.0.0 through 4.0.3.2. The issue arises because customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. This occurs when an actor with access to the environment sets the region input field to an invalid value during AWS service calls [2]. The SDK did not validate whether the provided region string could form a valid hostname for an AWS endpoint, making it possible to direct requests to arbitrary hosts under certain configurations [3].

Exploitation

Context

Exploitation requires that an attacker already has access to the environment where the SDK is used, such as the ability to modify application configuration files or control the region parameter passed to SDK methods. This is not a remote exploitation vector; it is a configuration security issue. The SDK was functioning within the bounds of the AWS shared responsibility model, meaning customers are ultimately responsible for securing their own application settings [3]. The vulnerability is rated as low severity (CVSS 3.1 base score 3.7) reflecting the prerequisite of local or authenticated access [2].

Impact

If exploited, an attacker could cause the SDK to route API calls to an attacker-controlled host that is not an AWS endpoint, potentially leaking credentials, request data, or responses to a malicious server. However, the advisory frames this as a defense-in-depth enhancement rather than a critical security flaw, because the SDK assumed customers would validate their own region inputs [3].

Mitigation

AWS patched this issue in SDK for .NET v4 version 4.0.3.3 (released November 21, 2025) by adding validation that a region used to construct an endpoint URL must be a valid host label [1][3]. Users are advised to update to this patched version and follow security best practices such as proper input validation in application code and regularly updating the SDK [3].