Decompression Vulnerability in urllib3 Affects Python HTTP Clients
CVE-2026-21441

8.9HIGH

Key Information:

Vendor: Urllib3
Status: Urllib3
Vendor: CVE Published:; 7 January 2026

What is CVE-2026-21441?

urllib3, an HTTP client library for Python, has a vulnerability that affects its streaming API. This API processes large HTTP responses efficiently by reading them in chunks. However, in versions 1.22 to 2.6.2, for HTTP redirect responses, urllib3 unnecessarily reads and decompresses the entire response body before any read operations. This behavior can be exploited by a malicious server through crafted redirect responses, leading to excessive resource consumption on the client due to decompression bombs. To mitigate the risk, users should upgrade to urllib3 version 2.6.3 or later, which prevents decoding of redirect response content when configured with preload_content=False. Alternatively, clients can disable redirects when working with untrusted sources by setting redirect=False.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

urllib3 >= 1.22, < 2.6.3

References

https://github.com/urllib3/urllib3/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/urllib3/urllib3/commit/8864ac407bba860...

x_refsource_MISC

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Dec 29, 2025

JSON

Urllib3

What is CVE-2026-21441?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.