High severity7.5NVD Advisory· Published Apr 1, 2026· Updated Apr 15, 2026
CVE-2026-34515
CVE-2026-34515
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.13.4 | 3.13.4 |
Affected products
35- osv-coords34 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-2pkg:apk/chainguard/authentik-2025.12pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2025.12pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/awxpkg:apk/chainguard/checkovpkg:apk/chainguard/dask-kubernetespkg:apk/chainguard/datahub-ingestionpkg:apk/chainguard/datahub-ingestion-fipspkg:apk/chainguard/keep-apipkg:apk/chainguard/keep-api-fipspkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/litellmpkg:apk/chainguard/metaflow-servicepkg:apk/chainguard/metaflow-service-fipspkg:apk/chainguard/open-webuipkg:apk/chainguard/py3.13-scanner-test-libraries-aiohttppkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/request-1276pkg:apk/chainguard/text-generation-inferencepkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/chainguard/tritonserver-backend-vllm-cuda-13.0pkg:apk/wolfi/airflow-3pkg:apk/wolfi/checkovpkg:apk/wolfi/dask-kubernetespkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/open-webuipkg:apk/wolfi/py3-cassandra-medusapkg:pypi/aiohttp
< 2.11.2-r5+ 33 more
- (no CPE)range: < 2.11.2-r5
- (no CPE)range: < 3.2.1-r0
- (no CPE)range: < 2.11.2-r3
- (no CPE)range: < 2025.12.4-r3
- (no CPE)range: < 2026.2.1-r3
- (no CPE)range: < 2025.12.4-r3
- (no CPE)range: < 2026.2.1-r3
- (no CPE)range: < 24.6.1-r33
- (no CPE)range: < 3.2.517-r0
- (no CPE)range: < 2026.3.0-r3
- (no CPE)range: < 1.6.0-r1
- (no CPE)range: < 1.5.0.1-r1
- (no CPE)range: < 0.51.0-r2
- (no CPE)range: < 0.51.0-r2
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 1.82.3.0-r3
- (no CPE)range: < 2.5.0-r10
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 0.8.12-r3
- (no CPE)range: < 0.0.1-r3
- (no CPE)range: < 0.27.1-r2
- (no CPE)range: < 0.27.1-r2
- (no CPE)range: < 3.3.7-r10
- (no CPE)range: < 25.9.0_git20260318-r1
- (no CPE)range: < 25.11-r3
- (no CPE)range: < 3.2.1-r0
- (no CPE)range: < 3.2.517-r0
- (no CPE)range: < 2026.3.0-r3
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 0.8.12-r3
- (no CPE)range: < 0.27.1-r2
- (no CPE)range: < 3.13.4
Patches
Vulnerability mechanics
References
5- github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3dnvdPatchWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783mnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-p998-jp59-783mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34515ghsaADVISORY
- github.com/aio-libs/aiohttp/releases/tag/v3.13.4nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.