CVE-2026-34515: CWE-36: Absolute Path Traversal in aio-libs aiohttp
CVE-2026-34515 is a medium severity vulnerability in aiohttp versions prior to 3. 13. 4 on Windows. It involves an absolute path traversal issue in the static resource handler that may expose information about an NTLMv2 remote path. This vulnerability has been patched in aiohttp version 3. 13. 4.
AI Analysis
Technical Summary
The aiohttp asynchronous HTTP client/server framework for Python contains an absolute path traversal vulnerability (CWE-36) in its static resource handler on Windows platforms. This flaw could allow exposure of NTLMv2 remote path information. The issue affects versions before 3.13.4 and has been addressed by the vendor in version 3.13.4.
Potential Impact
An attacker could potentially gain access to sensitive path information related to NTLMv2 remote paths on Windows systems running vulnerable aiohttp versions. The CVSS 4.0 base score is 6.6 (medium), indicating a moderate impact with network attack vector, no privileges or user interaction required, and high impact on confidentiality.
Mitigation Recommendations
Upgrade aiohttp to version 3.13.4 or later, where this vulnerability has been fixed. No other mitigation steps are indicated by the vendor advisory.
CVE-2026-34515: CWE-36: Absolute Path Traversal in aio-libs aiohttp
Description
CVE-2026-34515 is a medium severity vulnerability in aiohttp versions prior to 3. 13. 4 on Windows. It involves an absolute path traversal issue in the static resource handler that may expose information about an NTLMv2 remote path. This vulnerability has been patched in aiohttp version 3. 13. 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The aiohttp asynchronous HTTP client/server framework for Python contains an absolute path traversal vulnerability (CWE-36) in its static resource handler on Windows platforms. This flaw could allow exposure of NTLMv2 remote path information. The issue affects versions before 3.13.4 and has been addressed by the vendor in version 3.13.4.
Potential Impact
An attacker could potentially gain access to sensitive path information related to NTLMv2 remote paths on Windows systems running vulnerable aiohttp versions. The CVSS 4.0 base score is 6.6 (medium), indicating a moderate impact with network attack vector, no privileges or user interaction required, and high impact on confidentiality.
Mitigation Recommendations
Upgrade aiohttp to version 3.13.4 or later, where this vulnerability has been fixed. No other mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:03:31.047Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ce9471e6bfc5ba1de93472
Added to database: 4/2/2026, 4:08:17 PM
Last enriched: 4/10/2026, 12:04:50 AM
Last updated: 5/20/2026, 8:11:41 AM
Views: 96
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.