High severity7.5NVD Advisory· Published Apr 1, 2026· Updated Apr 15, 2026
CVE-2026-34515
CVE-2026-34515
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.13.4 | 3.13.4 |
Affected products
1Patches
10ae2aa076c84[PR #12125/f049588a backport][3.13] Block absolute paths in static files (#12128)
1 file changed · +4 −0
aiohttp/web_urldispatcher.py+4 −0 modified@@ -676,6 +676,10 @@ def __iter__(self) -> Iterator[AbstractRoute]: async def _handle(self, request: Request) -> StreamResponse: filename = request.match_info["filename"] + if Path(filename).is_absolute(): + # filename is an absolute path e.g. //network/share or D:\path + # which could be a UNC path leading to NTLM credential theft + raise HTTPNotFound() unresolved_path = self._directory.joinpath(filename) loop = asyncio.get_running_loop() return await loop.run_in_executor(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3dnvdPatchWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783mnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-p998-jp59-783mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34515ghsaADVISORY
- github.com/aio-libs/aiohttp/releases/tag/v3.13.4nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.