CVE-2026-54276

NameCVE-2026-54276
DescriptionAIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. This vulnerability is fixed in 3.14.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-aiohttp (PTS)bullseye3.7.4-1fixed
bullseye (security)3.7.4-1+deb11u2fixed
bookworm, bookworm (security)3.8.4-1+deb12u1fixed
trixie (security), trixie3.11.16-1+deb13u1fixed
forky3.14.1-3fixed
sid3.14.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-aiohttpsourcebullseye(not affected)
python-aiohttpsourcebookworm(not affected)
python-aiohttpsourcetrixie(not affected)
python-aiohttpsource(unstable)3.14.1-1

Notes

[trixie] - python-aiohttp <not-affected> (Vulnerable code not present)
[bookworm] - python-aiohttp <not-affected> (Vulnerable code not present)
[bullseye] - python-aiohttp <not-affected> (Vulnerable code not present)
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hpj7-wq8m-9hgp
Fixed by: https://github.com/aio-libs/aiohttp/commit/38d16060037e1bfcd6d677abababa3c2a4bb58fa (v3.14.1)
Introduced with: https://github.com/aio-libs/aiohttp/pull/10725 (master)
Introduced with: https://github.com/aio-libs/aiohttp/pull/10894 (v3.12.0b0)

Search for package or bug name: Reporting problems