SB2026060241 - Multiple vulnerabilities in aiohttp

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2026-47265)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in request redirect handling when following a cross-origin redirect after setting per-request cookies. A remote attacker can control a redirect to disclose sensitive information.

The issue occurs only when cookies are supplied through the per-request cookies parameter.

2) Deserialization of Untrusted Data (CVE-ID: CVE-2026-34993)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in CookieJar.load() when loading untrusted input. A local privileged user can supply a crafted file to execute arbitrary code.

User interaction is required to load the crafted file.

Remediation

Install update from vendor's website.

References

• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg
• https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478
• https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jg22-mg44-37j8
• https://github.com/aio-libs/aiohttp/commit/dcf40f30637e8752c76781cf6703b5a236749a00