Wiz Agents & Workflows are here
Wiz
Vulnerability DatabaseGHSA-mvm6-f9r3-fgfx

GHSA-mvm6-f9r3-fgfx
C# vulnerability analysis and mitigation

Summary

This notification is related to the CloudFront signing utilities in the AWS SDK for .NET, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and backslashes, in input values.

Impact

The CloudFront signing utilities build policy documents that define access restrictions for signed URLs and cookies. If an application passes unsanitized input containing special characters to these utilities, the resulting policy document may not reflect the application's intended access restrictions. While the SDK was functioning safely within the requirements of the shared responsibility model, additional safeguards have been added to support secure customer implementations. Applications that already follow AWS security best practices for input validation are not impacted.

Impacted versions:

  • AWS SDK for .NET V3 (AWSSDK.CloudFront): < 3.7.510.7
  • AWS SDK for .NET V4 (AWSSDK.Extensions.CloudFront.Signers): 4.0.0.0 - 4.0.0.25

Patches

On February 25th, 2026, an enhancement was made to the AWS SDK for .NET CloudFront signing utilities. The enhancement ensures that special characters in input values are correctly handled. We recommend upgrading to the latest version.

Workarounds

No workarounds are needed, but customers should ensure that your application is following security best practices:

  • Implement proper input validation in your application code before passing values to CloudFront signing utilities
  • Update to the latest AWS SDK release on a regular basis
  • Follow AWS security best practices for SDK configuration

References

If there are any questions or comments about this advisory, contact AWS Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Acknowledgement

AWS SDK for .NET thanks the Amazon Inspector Security Research team for identifying this issue and working through the coordinated process together.

SourceNVD

Related C# vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

GHSA-mvm6-f9r3-fgfxHIGH7.7
  • C#C#
  • AWSSDK.CloudFront
NoYesMar 27, 2026
CVE-2026-33536MEDIUM5.1
  • C#C#
  • ImageMagick-doc
NoYesMar 26, 2026
CVE-2026-33535MEDIUM4
  • C#C#
  • Magick.NET-Q16-HDRI-OpenMP-arm64
NoYesMar 26, 2026
GHSA-9r56-3gjq-hqf7LOW3.3
  • C#C#
  • Magick.NET-Q16-HDRI-AnyCPU
NoYesMar 26, 2026
GHSA-6p22-q7w5-33pgLOW3.3
  • C#C#
  • Magick.NET-Q8-OpenMP-arm64
NoYesMar 26, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo