Skip to main content

aiohttp CVE-2026-54276

MEDIUM
Information Exposure (CWE-200)
2026-06-15 https://github.com/aio-libs/aiohttp GHSA-hpj7-wq8m-9hgp
Information Disclosure Open Redirect
Share

Severity by source

vuln.today AI
3.1 LOW

AC:H reflects the open-redirect precondition; UI:R because the victim client must initiate the redirected request; C:L since only the digest hash is exposed, not plaintext credentials.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 20:33 vuln.today
Analysis Generated
Jun 15, 2026 - 20:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 40,758 pypi packages depend on aiohttp (14,350 direct, 27,144 indirect)

Ecosystem-wide dependent count for version 3.14.1.

DescriptionCVE.org

Summary

`DigestAuthMiddleware` can send an authentication response after following a cross-origin redirect.

Impact

If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest.

This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse.

Workaround

Disable `follow_redirects` if this is a concern.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/38d16060037e1bfcd6d677abababa3c2a4bb58fa

AnalysisAI

DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirect targets. Applications using DigestAuthMiddleware with the default follow_redirects behavior are affected in versions up to and including 3.14.0. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify open redirect on origin server
Delivery
Lure aiohttp client to request redirecting origin URL
Exploit
aiohttp client follows cross-origin redirect (default)
Execution
DigestAuthMiddleware attaches digest to cross-origin request
Persist
Attacker-controlled server captures Authorization header
Impact
Offline attack to recover credentials from digest hash
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following conditions simultaneously: (1) the target application uses aiohttp's DigestAuthMiddleware for HTTP client authentication; (2) follow_redirects is enabled (this is the aiohttp client default); (3) the origin server (or a server the client is directed to) contains an open redirect vulnerability or a mechanism that causes a cross-origin 3xx redirect to an attacker-controlled domain. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or vector was provided by the reporter, so risk metrics are assessed independently. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies or controls an open redirect endpoint on a server that aiohttp clients authenticate against using DigestAuthMiddleware. When a client makes a request to that server, the attacker's redirect target (e.g., attacker.example.com) receives the computed Digest Authorization header containing the hashed credentials. …
Remediation Upgrade aiohttp to version 3.14.1, which scopes DigestAuthMiddleware credentials to the origin of the first request and prevents cross-origin digest responses (vendor patch: https://github.com/aio-libs/aiohttp/commit/38d16060037e1bfcd6d677abababa3c2a4bb58fa, advisory: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hpj7-wq8m-9hgp). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM
6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
CVE-2026-50089 MEDIUM
6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara
CVE-2026-10837 MEDIUM
5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM
5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

CVE-2025-32748 MEDIUM
4.3 Jun 17

Host Header Injection in Dell PowerFlex Rack RCM 3.7 enables unauthenticated remote attackers to trigger open redirects

Share

CVE-2026-54276 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy