All boto3 CVEs — Complete Vulnerability History

Last updated: April 1, 2026 · Data: OSV Database

boto3 is the AWS SDK for Python. Its CVEs are rare — most AWS-related Python security issues come from misconfiguration rather than boto3 vulnerabilities.

Full CVE history

Current safe version: 1.34.69

# Before
boto3==1.26.0

# After
boto3==1.34.69

Then run: pip install -r requirements.txt

Why boto3 CVEs are almost always transitive

boto3 itself has a clean CVE record — most "boto3 vulnerabilities" flagged by scanners are actually in its dependencies: botocore, urllib3, or requests. When npm audit or pip-audit flags boto3, check the full dependency path first.

# See the full dependency tree for boto3
pip show boto3 | grep Requires

# Check which specific sub-package is flagged
pip-audit --requirement requirements.txt --format json | python3 -m json.tool | grep -A5 "name"

boto3 version history — security relevant releases

Fix transitive boto3 vulnerabilities

# Pin safe versions of boto3's dependencies directly
# Add to requirements.txt:
urllib3>=2.0.7
requests>=2.31.0
botocore>=1.34.0
boto3>=1.34.0

# Then update
pip install -r requirements.txt --upgrade

IAM credential exposure — the real boto3 security risk

The more significant security concern with boto3 is credential handling, not CVEs. Hardcoded AWS keys in source code are the #1 boto3 security incident. boto3 reads credentials from environment variables, ~/.aws/credentials, or IAM roles — never hardcode them.

# Never do this
s3 = boto3.client('s3', aws_access_key_id='AKIA...', aws_secret_access_key='...')

# Use environment variables or IAM roles instead
s3 = boto3.client('s3')  # reads from environment or ~/.aws/credentials