apk package

chainguard/authentik-2026.2

pkg:apk/chainguard/authentik-2026.2

Vulnerabilities (33)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-3902	Hig	7.5	< 2026.2.1-r3	2026.2.1-r3	Apr 7, 2026	An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlie
CVE-2026-33034	Hig	7.5	< 2026.2.1-r3	2026.2.1-r3	Apr 7, 2026	An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an
CVE-2026-33033	Med	6.5	< 2026.2.1-r3	2026.2.1-r3	Apr 7, 2026	An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Dj
CVE-2026-34525	Med	5.3	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
CVE-2026-34520	Cri	9.1	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
CVE-2026-34519	Med	5.3	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34518	Med	5.3	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in
CVE-2026-34517	Med	5.3	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
CVE-2026-34516	Hig	7.5	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched
CVE-2026-34515	Hig	7.5	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
CVE-2026-34514	Med	5.3	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34513	Hig	7.5	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
CVE-2026-22815	Hig	7.5	< 2026.2.1-r3	2026.2.1-r3	Apr 1, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.

CVE-2026-3902HigApr 7, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores. Earlie
CVE-2026-33034HigApr 7, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an
CVE-2026-33033MedApr 7, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Dj
CVE-2026-34525MedApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
CVE-2026-34520CriApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
CVE-2026-34519MedApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34518MedApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in
CVE-2026-34517MedApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
CVE-2026-34516HigApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched
CVE-2026-34515HigApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
CVE-2026-34514MedApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
CVE-2026-34513HigApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
CVE-2026-22815HigApr 1, 2026
affected < 2026.2.1-r3fixed 2026.2.1-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.

Page 2 of 2