Aiohttp: Nine CVEs Disclosed in a Single Day, Five Memory-Exhaustion DoS Flaws
Nine security vulnerabilities — five of them memory-exhaustion denial-of-service bugs — were disclosed together in the aiohttp Python async HTTP library on June 15, 2026.
Key findings
- Nine CVEs disclosed together on June 15, 2026, five of which are memory-exhaustion DoS flaws
- CVE-2026-54274: incomplete WebSocket frames bypass memory limits, enabling DoS
- CVE-2026-54276: DigestAuthMiddleware leaks credentials on cross-origin redirects
- CVE-2026-54279: host-only cookies become domain cookies after CookieJar persistence
- CVE-2026-54277: C HTTP parser bypasses max_line_size for fragmented lines
- All CVEs have patches available; no active exploitation reported
On June 15, 2026, the maintainers of aiohttp — the popular asynchronous HTTP client/server framework for Python — disclosed nine distinct security vulnerabilities in a single coordinated release. The batch spans denial-of-service (DoS) vectors, authentication bypass, cookie integrity issues, and a CRLF injection, affecting users of the library across versions. Several of the flaws involve memory-exhaustion attacks that could be triggered through WebSocket frames, pipelined HTTP/1 requests, or compressed request bodies, making the cluster particularly relevant for any service relying on aiohttp's HTTP and WebSocket handling.
Memory-Exhaustion and DoS Vulnerabilities
The largest thematic group concerns resource exhaustion. CVE-2026-54274 describes how incomplete WebSocket frame payloads can bypass the library's usual memory-size limits, enabling a remote attacker to cause excessive memory consumption and a denial-of-service condition on any application that exposes WebSocket endpoints. CVE-2026-54273 addresses a missing limit on HTTP/1 pipelined requests: an attacker can queue an unbounded number of pipelined requests, again leading to memory exhaustion. CVE-2026-54278 covers a zip-bomb edge case in which unread compressed request bodies are decompressed into memory in a single chunk during cleanup, bypassing the client_max_size constraint. CVE-2026-54277 reports that the optimized C HTTP parser (the default in pre-built wheels) fails to enforce the max_line_size check for fragmented lines, allowing oversized lines to consume excessive memory. Finally, CVE-2026-54280 notes that payload resources — such as open file handles — are not closed when a client disconnects mid-body, which an attacker could exploit to cause temporary resource starvation.
Authentication and Cookie Integrity Issues
CVE-2026-54276 affects the DigestAuthMiddleware component: when the client follows a cross-origin redirect (the default behavior), the middleware can send an authentication digest to an attacker-controlled domain. Exploitation likely requires an open redirect vulnerability elsewhere, but the consequence is credential leakage. CVE-2026-54279 describes a cookie-jar persistence bug: host-only cookies saved with CookieJar.save() and later restored with CookieJar.load() lose their host-only flag, meaning cookies that should be restricted to a single domain may be sent to subdomains after a restart.
TLS and Injection Flaws
CVE-2026-54275 is a low-severity TLS Server Name Indication (SNI) bypass: when an HTTPS connection is reused, the server_hostname override parameter is ignored, so a later request intended for a different hostname may succeed on the existing connection rather than failing. CVE-2026-50269 addresses a CRLF injection in multipart headers: if an application passes user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, an attacker can inject additional headers or modify the request structure.
Patch Status and Mitigations
The aiohttp project has released patches for all nine CVEs. The fixes are available in the aiohttp GitHub repository. Users are advised to upgrade to the latest patched version. For CVE-2026-54278 (the compressed-body zip-bomb scenario), disabling compression on the server side is listed as a workaround. No evidence of active exploitation in the wild has been reported at the time of disclosure.
Why This Batch Matters
Aiohttp is a foundational library in the Python async ecosystem, used by thousands of web applications, API gateways, and microservices. The simultaneous disclosure of nine CVEs — five of them centered on memory-exhaustion DoS — signals that the library's resource-management and parser code required a broad hardening pass. Users running aiohttp in production should prioritize updating to the latest release, particularly if they expose WebSocket endpoints or accept compressed request bodies.