AIOHTTP Vulnerable to Deserialization of Untrusted Data
Summary
| CVE | CVE-2026-34993 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-02 20:16:34 UTC |
| Updated | 2026-07-10 12:16:42 UTC |
| Description | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading. |
Risk And Classification
Primary CVSS: v3.1 7.3 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.001280000 probability, percentile 0.028550000 (date 2026-07-13)
Problem Types: CWE-502 | CWE-502 CWE-502: Deserialization of Untrusted Data | CWE-502 Deserialization of Untrusted Data
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.3 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 7.2 | HIGH | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.2 | HIGH | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Aio-libs | Aiohttp | affected < 3.14.0 | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 2.25 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI 3.4 | Not specified | Not specified |
| ADP | Red Hat | Exploit Intelligence | Not specified | Not specified |
| ADP | Red Hat | Migration Toolkit For Applications 8 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | Red Hat AI Inference Server | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ansible Automation Platform Ansible Core 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Discovery 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat Satellite 6 | Not specified | Not specified |
| ADP | Red Hat | Lightspeed Core | Not specified | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| ADP | Red Hat | Red Hat Update Infrastructure 4 For Cloud Providers | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-34993 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34456 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:24977 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00 | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:37275 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34993.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8 | [email protected] | github.com | Mitigation, Patch, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-06-02T20:01:12.690Z | Reported to Red Hat. |
| ADP | 2026-06-02T18:29:15.847Z | Made public. |
Solutions
ADP: RHSA-2026:24977: Red Hat OpenShift AI 2.25
ADP: RHSA-2026:37275: Red Hat OpenShift AI 3.3
ADP: RHSA-2026:34456: Red Hat OpenShift AI 3.4
There are currently no legacy QID mappings associated with this CVE.