CVE-2026-34515 is a medium-severity security vulnerability affecting the aiohttp asynchronous HTTP client/server framework for Python, specifically on Windows systems. The vulnerability is categorized as CWE-36 (Absolute Path Traversal) and CWE-918 (Server-Side Request Forgery). It arises from the static resource handler component of aiohttp versions earlier than 3.13.4, which improperly handles file paths and may inadvertently expose information about NTLMv2 remote paths. This exposure could allow an unauthenticated remote attacker to gain sensitive information about the server's file system structure or network shares, potentially aiding further attacks. The vulnerability can be exploited remotely without any authentication or user interaction, increasing its risk profile. However, the impact is limited to information disclosure without direct integrity or availability compromise. The issue was identified and patched in version 3.13.4 of aiohttp. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U) reflects a network attack vector with low complexity and no privileges or user interaction required, but with high confidentiality impact. No public exploits have been reported, and the vulnerability was reserved and published in early 2026.

The primary impact of CVE-2026-34515 is unauthorized information disclosure on Windows systems running vulnerable versions of aiohttp. Attackers can remotely obtain sensitive details about NTLMv2 remote paths, which may reveal network share configurations or internal file system layouts. This information can facilitate further targeted attacks such as lateral movement, privilege escalation, or exploitation of other vulnerabilities. While the vulnerability does not directly compromise data integrity or system availability, the exposure of internal path information can weaken an organization's security posture. Organizations relying on aiohttp for asynchronous HTTP services on Windows are at risk, especially those exposing static resources over the network. The medium severity rating indicates a moderate risk that should be addressed promptly to prevent potential escalation or combined attacks. The lack of known exploits in the wild reduces immediate threat but does not eliminate future risk.

To mitigate CVE-2026-34515, organizations should upgrade aiohttp to version 3.13.4 or later, where the vulnerability has been patched. If immediate upgrade is not feasible, administrators should restrict access to static resource handlers on Windows hosts by implementing network-level controls such as firewall rules or access control lists to limit exposure to trusted networks or IP addresses. Additionally, auditing and monitoring access logs for unusual requests targeting static resources can help detect exploitation attempts. Developers should review their use of aiohttp static resource handling to ensure no unnecessary exposure of sensitive paths or files. Employing application-layer security measures, such as input validation and path normalization, can further reduce risk. Finally, organizations should maintain up-to-date inventories of aiohttp versions in use and integrate vulnerability scanning into their software supply chain management.