Skip to main content

aiohttp CVE-2026-34993

| EUVD-2026-34001 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-06-02 GitHub_M GHSA-jg22-mg44-37j8
RCE Deserialization Python Red Hat
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L
SUSE
MEDIUM
qualitative
Red Hat
7.2 HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 02, 2026 - 21:02 EUVD
Source Code Evidence Fetched
Jun 02, 2026 - 20:30 vuln.today
Analysis Generated
Jun 02, 2026 - 20:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 41 pypi packages depend on aiohttp (10 direct, 32 indirect)

Ecosystem-wide dependent count for version 3.14.0.

DescriptionGitHub Advisory

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using `CookieJar.load()` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.

AnalysisAI

Arbitrary code execution in aiohttp's CookieJar.load() prior to version 3.14.0 stems from use of Python's unsafe pickle.load() to deserialize cookie files, allowing a malicious pickle payload to execute arbitrary Python code at load time. Affected are all aiohttp releases below 3.14.0 where an application passes attacker-controlled file input to CookieJar.load(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local filesystem write access
Delivery
Place malicious pickle payload at target file path
Exploit
Trigger application code path calling CookieJar.load()
Execution
Restricted unpickler absent (pre-3.14.0) executes pickle opcodes
Persist
Arbitrary Python code runs as aiohttp process user
Impact
Achieve RCE with changed scope impact
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the application passes attacker-controlled file contents or file paths to CookieJar.load() - this is a non-default, application-specific behavior explicitly called out in the advisory as uncommon. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.4 (Medium) is appropriate given the heavily restricted attack conditions encoded in the vector: AV:L (local filesystem access required), AC:H (high attack complexity), PR:H (high privileges required), UI:R (user interaction required), and S:C (changed scope - the malicious payload can escape the process boundary). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can write or replace a file that a privileged aiohttp application subsequently passes to CookieJar.load() - for example, via a shared filesystem, a file-upload endpoint that feeds into this API, or a symlink attack - crafts a malicious pickle payload that embeds a Python os.system() or subprocess call. When the application calls CookieJar.load() on the crafted file, the pickle Unpickler executes the embedded opcode, spawning an attacker-controlled subprocess with the privileges of the aiohttp process. …
Remediation Upgrade to aiohttp 3.14.0, which patches the issue by replacing raw pickle.load() with a JSON-first deserialization path and a restricted unpickler fallback; the vendor-released patch is confirmed via GitHub commit dcf40f30637e8752c76781cf6703b5a236749a00 and advisory GHSA-jg22-mg44-37j8. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49257 CRITICAL
10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on
CVE-2026-10561 CRITICAL
10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom
CVE-2026-55255 CRITICAL
9.9 Jun 19

Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL
9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Public Cloud 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-34993 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy