CVE-2026-44432
Description
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
urllib3PyPI | >= 2.6.0, < 2.7.0 | 2.7.0 |
Affected products
168- osv-coords166 versionspkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-3pkg:apk/chainguard/ansible-operator-fipspkg:apk/chainguard/authentik-2025.12pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2025.12pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/aws-cli-1pkg:apk/chainguard/aws-cli-2pkg:apk/chainguard/awxpkg:apk/chainguard/azpkg:apk/chainguard/azure-functions-host-python3.11-workerpkg:apk/chainguard/azure-functions-host-python3.12-workerpkg:apk/chainguard/azure-functions-host-python3.13-workerpkg:apk/chainguard/azureml-inference-server-httppkg:apk/chainguard/azureml-inference-server-http-fipspkg:apk/chainguard/barmanpkg:apk/chainguard/barman-cloudnative-pgpkg:apk/chainguard/confluent-docker-utilspkg:apk/chainguard/dagster-fipspkg:apk/chainguard/dask-kubernetespkg:apk/chainguard/datadog-agent-7.71pkg:apk/chainguard/datadog-agent-7.71-core-integrationspkg:apk/chainguard/datadog-agent-7.72pkg:apk/chainguard/datadog-agent-7.74pkg:apk/chainguard/datadog-agent-7.76pkg:apk/chainguard/datadog-agent-7.76-core-integrationspkg:apk/chainguard/datadog-agent-7.77pkg:apk/chainguard/datadog-agent-7.77-core-integrationspkg:apk/chainguard/datadog-agent-7.78pkg:apk/chainguard/datadog-agent-7.78-core-integrationspkg:apk/chainguard/datadog-agent-7.79pkg:apk/chainguard/datadog-agent-7.79-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.72pkg:apk/chainguard/datadog-agent-fips-7.73pkg:apk/chainguard/datadog-agent-fips-7.74pkg:apk/chainguard/datadog-agent-fips-7.76pkg:apk/chainguard/datadog-agent-fips-7.76-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.77pkg:apk/chainguard/datadog-agent-fips-7.77-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.78pkg:apk/chainguard/datadog-agent-fips-7.78-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.79pkg:apk/chainguard/datadog-agent-fips-7.79-core-integrationspkg:apk/chainguard/datahub-ingestionpkg:apk/chainguard/datahub-ingestion-fipspkg:apk/chainguard/dbt-bigquerypkg:apk/chainguard/dbt-corepkg:apk/chainguard/dbt-snowflakepkg:apk/chainguard/duplicitypkg:apk/chainguard/ggshieldpkg:apk/chainguard/gitlab-toolbox-ce-18.10pkg:apk/chainguard/gitlab-toolbox-ce-18.11pkg:apk/chainguard/gitlab-toolbox-ce-18.9pkg:apk/chainguard/gitlab-toolbox-ce-fips-18.11pkg:apk/chainguard/httpiepkg:apk/chainguard/jupyter-base-notebookpkg:apk/chainguard/jwt-toolpkg:apk/chainguard/katib-earlystoppingpkg:apk/chainguard/katib-suggestion-hyperbandpkg:apk/chainguard/katib-suggestion-hyperoptpkg:apk/chainguard/katib-suggestion-nas-dartspkg:apk/chainguard/katib-suggestion-optuna-enaspkg:apk/chainguard/katib-suggestion-pbt-enaspkg:apk/chainguard/katib-suggestion-skopt-enaspkg:apk/chainguard/keep-apipkg:apk/chainguard/keep-api-fipspkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/kubeflow-volumes-web-apppkg:apk/chainguard/label-studiopkg:apk/chainguard/litellmpkg:apk/chainguard/localstackpkg:apk/chainguard/metaflow-servicepkg:apk/chainguard/metaflow-service-fipspkg:apk/chainguard/mlflowpkg:apk/chainguard/mlflow-fipspkg:apk/chainguard/mlflow-iamguarded-compatpkg:apk/chainguard/nemopkg:apk/chainguard/neuvector-manager-clipkg:apk/chainguard/opalpkg:apk/chainguard/opentelemetry-python-instrumentationpkg:apk/chainguard/open-webuipkg:apk/chainguard/pgadmin4pkg:apk/chainguard/pgadmin4-fipspkg:apk/chainguard/py3.10-opentelemetry-exporter-otlppkg:apk/chainguard/py3.10-pip-basepkg:apk/chainguard/py3.11-opentelemetry-exporter-otlppkg:apk/chainguard/py3.11-pip-basepkg:apk/chainguard/py3.11-prefectpkg:apk/chainguard/py3.11-prefect-fipspkg:apk/chainguard/py3.12-opentelemetry-exporter-otlppkg:apk/chainguard/py3.12-pip-basepkg:apk/chainguard/py3.12-prefectpkg:apk/chainguard/py3.12-prefect-fipspkg:apk/chainguard/py3.13-opentelemetry-exporter-otlppkg:apk/chainguard/py3.13-pip-basepkg:apk/chainguard/py3.13-prefectpkg:apk/chainguard/py3.13-prefect-fipspkg:apk/chainguard/py3.13-scanner-test-librariespkg:apk/chainguard/py3.14-pip-basepkg:apk/chainguard/py3.14-prefectpkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/py3-hashinpkg:apk/chainguard/request-1276pkg:apk/chainguard/semgreppkg:apk/chainguard/spamcheckpkg:apk/chainguard/superset-5.0pkg:apk/chainguard/superset-6.0pkg:apk/chainguard/synapsepkg:apk/chainguard/tensorflow-cpu-jupyterpkg:apk/chainguard/tensorflow-gpu-jupyterpkg:apk/chainguard/text-generation-inferencepkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/chainguard/tritonserver-backend-vllm-cuda-13.0pkg:apk/chainguard/vast-csipkg:apk/chainguard/wazuh-manager-frameworkpkg:apk/chainguard/wazuh-manager-framework-fipspkg:apk/wolfi/airflow-3pkg:apk/wolfi/aws-cli-2pkg:apk/wolfi/azpkg:apk/wolfi/confluent-docker-utilspkg:apk/wolfi/dask-kubernetespkg:apk/wolfi/datadog-agent-7.72pkg:apk/wolfi/datadog-agent-7.74pkg:apk/wolfi/datadog-agent-7.76pkg:apk/wolfi/datadog-agent-7.76-core-integrationspkg:apk/wolfi/datadog-agent-7.77pkg:apk/wolfi/datadog-agent-7.77-core-integrationspkg:apk/wolfi/datadog-agent-7.78pkg:apk/wolfi/datadog-agent-7.78-core-integrationspkg:apk/wolfi/datadog-agent-7.79pkg:apk/wolfi/datadog-agent-7.79-core-integrationspkg:apk/wolfi/ggshieldpkg:apk/wolfi/httpiepkg:apk/wolfi/jupyter-base-notebookpkg:apk/wolfi/jwt-toolpkg:apk/wolfi/katib-earlystoppingpkg:apk/wolfi/katib-suggestion-hyperbandpkg:apk/wolfi/katib-suggestion-hyperoptpkg:apk/wolfi/katib-suggestion-nas-dartspkg:apk/wolfi/katib-suggestion-optuna-enaspkg:apk/wolfi/katib-suggestion-pbt-enaspkg:apk/wolfi/katib-suggestion-skopt-enaspkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/kubeflow-volumes-web-apppkg:apk/wolfi/mlflowpkg:apk/wolfi/mlflow-iamguarded-compatpkg:apk/wolfi/neuvector-manager-clipkg:apk/wolfi/open-webuipkg:apk/wolfi/py3.10-pip-basepkg:apk/wolfi/py3.11-pip-basepkg:apk/wolfi/py3.12-pip-basepkg:apk/wolfi/py3.13-pip-basepkg:apk/wolfi/py3.14-pip-basepkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/semgreppkg:apk/wolfi/superset-5.0pkg:apk/wolfi/superset-6.0pkg:apk/wolfi/tensorflow-cpu-jupyterpkg:pypi/urllib3pkg:rpm/almalinux/python3.12-urllib3pkg:rpm/almalinux/python3.14-urllib3pkg:rpm/almalinux/python3-urllib3pkg:rpm/opensuse/python-urllib3&distro=openSUSE%20Tumbleweed
< 3.2.1-r4+ 165 more
- (no CPE)range: < 3.2.1-r4
- (no CPE)range: < 3.2.1-r1
- (no CPE)range: < 1.42.2-r8
- (no CPE)range: < 2025.12.4-r9
- (no CPE)range: < 2026.2.1-r9
- (no CPE)range: < 2025.12.4-r7
- (no CPE)range: < 2026.2.1-r6
- (no CPE)range: < 1.45.7-r0
- (no CPE)range: < 2.34.55-r0
- (no CPE)range: < 24.6.1-r36
- (no CPE)range: < 2.86.0-r0
- (no CPE)range: < 4.1052.100-r1
- (no CPE)range: < 4.1052.100-r1
- (no CPE)range: < 4.1052.100-r1
- (no CPE)range: < 1.5.1-r3
- (no CPE)range: < 1.5.1-r3
- (no CPE)range: < 3.18.0-r4
- (no CPE)range: < 3.18.0-r4
- (no CPE)range: < 0.0.172-r0
- (no CPE)range: < 1.13.3-r1
- (no CPE)range: < 2026.3.0-r5
- (no CPE)range: < 7.71.2-r26
- (no CPE)range: < 7.71.2-r26
- (no CPE)range: < 7.72.4-r27
- (no CPE)range: < 7.74.1-r19
- (no CPE)range: < 7.76.3-r22
- (no CPE)range: < 7.76.3-r22
- (no CPE)range: < 7.77.3-r15
- (no CPE)range: < 7.77.3-r15
- (no CPE)range: < 7.78.4-r10
- (no CPE)range: < 7.78.4-r10
- (no CPE)range: < 7.79.2-r2
- (no CPE)range: < 7.79.2-r2
- (no CPE)range: < 7.72.4-r18
- (no CPE)range: < 7.73.3-r17
- (no CPE)range: < 7.74.1-r16
- (no CPE)range: < 7.76.3-r21
- (no CPE)range: < 7.76.3-r21
- (no CPE)range: < 7.77.3-r16
- (no CPE)range: < 7.77.3-r16
- (no CPE)range: < 7.78.4-r7
- (no CPE)range: < 7.78.4-r7
- (no CPE)range: < 7.79.2-r1
- (no CPE)range: < 7.79.2-r2
- (no CPE)range: < 1.5.0.6-r0
- (no CPE)range: < 1.5.0.4-r0
- (no CPE)range: < 1.10.3-r1
- (no CPE)range: < 1.11.10-r0
- (no CPE)range: < 1.10.4-r2
- (no CPE)range: < 3.0.7-r4
- (no CPE)range: < 1.49.0-r2
- (no CPE)range: < 18.10.6-r0
- (no CPE)range: < 18.11.2-r1
- (no CPE)range: < 18.9.7-r0
- (no CPE)range: < 18.11.2-r1
- (no CPE)range: < 3.2.4-r10
- (no CPE)range: < 7.5.6-r1
- (no CPE)range: < 2.3.0-r6
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.51.0-r7
- (no CPE)range: < 0.51.0-r7
- (no CPE)range: < 2.16.1-r3
- (no CPE)range: < 2.16.1-r1
- (no CPE)range: < 1.10.0-r18
- (no CPE)range: < 1.23.0-r5
- (no CPE)range: < 1.83.14.0-r1
- (no CPE)range: < 4.14.0-r11
- (no CPE)range: < 2.5.0-r11
- (no CPE)range: < 2.5.0-r4
- (no CPE)range: < 3.13.0-r0
- (no CPE)range: < 3.12.0-r0
- (no CPE)range: < 3.13.0-r0
- (no CPE)range: < 2.7.3-r6
- (no CPE)range: < 5.5.1-r2
- (no CPE)range: < 0.9.5-r1
- (no CPE)range: < 0.63.1-r0
- (no CPE)range: < 0.9.6-r1
- (no CPE)range: < 9.15-r1
- (no CPE)range: < 9.15-r1
- (no CPE)range: < 1.40.0-r1
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 1.40.0-r1
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 3.7.0-r1
- (no CPE)range: < 3.7.0-r1
- (no CPE)range: < 1.40.0-r1
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 3.7.0-r1
- (no CPE)range: < 3.7.0-r1
- (no CPE)range: < 1.40.0-r1
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 3.7.0-r1
- (no CPE)range: < 3.7.0-r1
- (no CPE)range: < 0.0.1-r4
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 3.7.0-r1
- (no CPE)range: < 0.29.0-r2
- (no CPE)range: < 1.0.5-r6
- (no CPE)range: < 0.29.0-r1
- (no CPE)range: < 1.163.0-r0
- (no CPE)range: < 3.5.3-r10
- (no CPE)range: < 5.0.0-r25
- (no CPE)range: < 6.0.0-r12
- (no CPE)range: < 1.151.0-r3
- (no CPE)range: < 2.21.0-r6
- (no CPE)range: < 2.21.0-r6
- (no CPE)range: < 3.3.7-r12
- (no CPE)range: < 25.9.0_git20260318-r1
- (no CPE)range: < 25.11-r7
- (no CPE)range: < 2.6.5-r1
- (no CPE)range: < 4.14.4-r6
- (no CPE)range: < 4.14.5-r1
- (no CPE)range: < 3.2.1-r4
- (no CPE)range: < 2.34.55-r0
- (no CPE)range: < 2.86.0-r0
- (no CPE)range: < 0.0.172-r0
- (no CPE)range: < 2026.3.0-r5
- (no CPE)range: < 7.72.4-r27
- (no CPE)range: < 7.74.1-r19
- (no CPE)range: < 7.76.3-r22
- (no CPE)range: < 7.76.3-r22
- (no CPE)range: < 7.77.3-r15
- (no CPE)range: < 7.77.3-r15
- (no CPE)range: < 7.78.4-r10
- (no CPE)range: < 7.78.4-r10
- (no CPE)range: < 7.79.2-r2
- (no CPE)range: < 7.79.2-r2
- (no CPE)range: < 1.49.0-r2
- (no CPE)range: < 3.2.4-r10
- (no CPE)range: < 7.5.6-r1
- (no CPE)range: < 2.3.0-r6
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 0.19.0-r21
- (no CPE)range: < 2.16.1-r3
- (no CPE)range: < 2.16.1-r1
- (no CPE)range: < 1.10.0-r18
- (no CPE)range: < 3.13.0-r0
- (no CPE)range: < 3.13.0-r0
- (no CPE)range: < 5.5.1-r2
- (no CPE)range: < 0.9.6-r1
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 26.1.2-r1
- (no CPE)range: < 0.29.0-r2
- (no CPE)range: < 1.163.0-r0
- (no CPE)range: < 5.0.0-r25
- (no CPE)range: < 6.0.0-r12
- (no CPE)range: < 2.21.0-r6
- (no CPE)range: >= 2.6.0, < 2.7.0
- (no CPE)range: < 1.26.19-3.el9_8
- (no CPE)range: < 2.6.3-2.el10_2
- (no CPE)range: < 1.26.19-4.el10_2
- (no CPE)range: < 2.7.0-1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-mf9v-mfxr-j63jghsaADVISORY
- github.com/urllib3/urllib3/security/advisories/GHSA-mf9v-mfxr-j63jnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-44432ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2026-142.yamlghsaWEB
News mentions
0No linked articles in our index yet.