Improper access control in aiohttp - #VU133995
Published: June 9, 2026
Vulnerability identifier: #VU133995
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: aio-libs
Affected software:
aiohttp
aiohttp
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in DigestAuthMiddleware when following a cross-origin redirect and handling an authentication challenge. A remote attacker can cause the client to follow a redirect to an attacker-controlled domain to disclose sensitive information.
Exploitation likely requires an open redirect or similar condition on the target domain, and the exposed digest may only enable credential recovery when weak cryptography or password reuse is involved.
Remediation
Install security update from vendor's website.