Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. This vulnerability is fixed in 3.14.1.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that the vulnerability occurs when DigestAuthMiddleware sends authentication credentials after following a cross-origin redirect. An attacker who can influence the redirect path—such as through an open‑redirect flaw on the target domain—can cause a client to transmit digest responses to a controlled server. If the digest is weak or credentials are reused, this may allow credential compromise. The weakness is an information disclosure of authentication secrets, mapping to CWE-200, CWE-522, and CWE-940.

Affected Systems

The issue affects the aio-libs aiohttp asynchronous HTTP framework for Python. Any installation of aiohttp prior to version 3.14.1 that uses DigestAuthMiddleware and allows redirects to external origins is susceptible. The fix is released in 3.14.1.

Risk and Exploitability

With a CVSS score of 6.3 the vulnerability has moderate severity. Based on the description, it is inferred that exploitability requires an accessible redirect on the target domain. Attackers would need to deliver a crafted request that triggers a cross-origin redirect that the library follows, causing the client's digest response to be sent to the attacker’s server. No published exploits are known, and the issue is not in CISA KEV. The EPSS score is < 1%; thus, the likelihood of public exploitation remains unclear, but the presence of an open-redirect or similar makes it a realistic threat in vulnerable applications.

Generated by OpenCVE AI on June 24, 2026 at 09:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to 3.14.1 or newer.
  • Disable or configure DigestAuthMiddleware to reject cross-origin redirects, enforcing same-origin only.
  • Validate and sanitize redirect URLs to prevent open-redirect attacks in your routing logic.

Generated by OpenCVE AI on June 24, 2026 at 09:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hpj7-wq8m-9hgp aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
History

Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-940
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

threat_severity

Low


Tue, 23 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. This vulnerability is fixed in 3.14.1.
Title AIOHTTP: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
Weaknesses CWE-200
CWE-522
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Aio-libs Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:10:07.862Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54276

cve-icon Vulnrichment

Updated: 2026-06-23T16:06:47.193Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-22T16:36:23Z

Links: CVE-2026-54276 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:30:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-522

    Insufficiently Protected Credentials

  • CWE-940

    Improper Verification of Source of a Communication Channel