Cross-Origin Redirect Vulnerability in AIOHTTP Framework by aio-libs
CVE-2026-54276

6.3MEDIUM

Key Information:

Vendor: Aio-libs
Status: Aiohttp
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-54276?

AIOHTTP, an asynchronous HTTP client/server framework for Python, has a vulnerability in the DigestAuthMiddleware that can lead to the exposure of user credentials. This occurs when following a cross-origin redirect, potentially allowing an attacker to initiate the process if there is an open redirect vulnerability in the target domain. The issue is particularly concerning if the cryptography used for authentication is weak or if users are reusing passwords. The vulnerability has been addressed in version 3.14.1.

Affected Version(s)

aiohttp < 3.14.1

References

https://github.com/aio-libs/aiohttp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/aio-libs/aiohttp/commit/38d16060037e1b...

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 12, 2026

CVE-2026-54276 Data

JSON

Aio-libs

What is CVE-2026-54276?

Affected Version(s)

References

CVSS V4

Timeline