AIKIDO-2026-10644
opensearch-py is vulnerable to Improper Cryptographic Signature Implementation
45
Medium Risk
This Affects:
opensearch-pyTL;DR
The AWS SigV4 helper builds AWSRequest objects used by SigV4Auth to produce signing headers for requests to managed OpenSearch endpoints. In affected builds the request object used for signing omitted headers that should participate in the canonical request and SignedHeaders, and added X-Amz-Content-SHA256 only after signing so it could be absent from SignedHeaders. That diverges from AWS SigV4 expectations for which headers are cryptographically bound to the signature and can break interoperability or weaken integrity guarantees for signed requests. The patch forwards the intended header map into AWSRequest before signing and sets X-Amz-Content-SHA256 before add_auth when appropriate so headers align with the specification.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
opensearch-py is vulnerable to Improper Cryptographic Signature Implementation in versions 1.1.0 - 3.1.0.
How to fix this
Upgrade the opensearch-py library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant