Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
Published: 2026-04-01
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Theft
Action: Apply Patch
AI Analysis

Impact

AIOHTTP’s static resource handler on Windows can unintentionally expose NTLMv2 credentials and local file contents when receiving a UNC path. This server‑side request forgery allows an attacker to retrieve authentication tokens or read files from the server, compromising confidential information. The vulnerability arises from the handling of static files under Windows paths and does not require elevated privileges on the target server.

Affected Systems

The issue affects the aio-libs aiohttp package in all releases prior to version 3.13.4. The patch is delivered in the 3.13.4 release and later, so any deployments running an older version are vulnerable.

Risk and Exploitability

The CVSS score is 6.6, indicating a moderate impact. EPSS data is unavailable and the flaw is not listed in the CISA KEV catalog. Exploitation appears to require network access to the server and the ability to control the request URL to the static resource handler. If an attacker can manipulate the URL, they can trigger the credential or file disclosure. The risk is considered moderate but should be mitigated promptly.

Generated by OpenCVE AI on April 2, 2026 at 02:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.13.4 or newer

Generated by OpenCVE AI on April 2, 2026 at 02:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p998-jp59-783m AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-497
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
Title AIOHTTP: UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
Weaknesses CWE-36
CWE-918
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:38:45.215Z

Reserved: 2026-03-30T16:03:31.047Z

Link: CVE-2026-34515

cve-icon Vulnrichment

Updated: 2026-04-02T15:38:37.256Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:16:59.570

Modified: 2026-04-15T14:08:02.267

Link: CVE-2026-34515

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-01T20:10:48Z

Links: CVE-2026-34515 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:16:43Z

Weaknesses