CVE-2026-34993: CWE-502: Deserialization of Untrusted Data in aio-libs aiohttp
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
AI Analysis
Technical Summary
The vulnerability in aiohttp (CVE-2026-34993) involves unsafe deserialization in the CookieJar.load() method when processing untrusted input. This can allow an attacker to execute arbitrary code if they can supply malicious serialized data. The issue affects aiohttp versions before 3.14.0. The vendor fixed this vulnerability in version 3.14.0. Since typical usage involves trusted user data, exploitation is less likely unless the application explicitly loads attacker-controlled files without sanitization.
Potential Impact
Successful exploitation can lead to arbitrary code execution with the privileges of the application using aiohttp. The CVSS score of 6.4 (medium severity) reflects that the attack requires local access with high privileges and user interaction, but can result in high integrity and low confidentiality impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade to aiohttp version 3.14.0 or later, which includes a fix for this vulnerability. If upgrading is not immediately possible, ensure that any files loaded via CookieJar.load() are sanitized to prevent loading attacker-controlled data. Patch status is not explicitly stated beyond the version fix; check the vendor advisory for the latest remediation guidance.
CVE-2026-34993: CWE-502: Deserialization of Untrusted Data in aio-libs aiohttp
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.
CVSS v3.1
Score 6.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in aiohttp (CVE-2026-34993) involves unsafe deserialization in the CookieJar.load() method when processing untrusted input. This can allow an attacker to execute arbitrary code if they can supply malicious serialized data. The issue affects aiohttp versions before 3.14.0. The vendor fixed this vulnerability in version 3.14.0. Since typical usage involves trusted user data, exploitation is less likely unless the application explicitly loads attacker-controlled files without sanitization.
Potential Impact
Successful exploitation can lead to arbitrary code execution with the privileges of the application using aiohttp. The CVSS score of 6.4 (medium severity) reflects that the attack requires local access with high privileges and user interaction, but can result in high integrity and low confidentiality impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade to aiohttp version 3.14.0 or later, which includes a fix for this vulnerability. If upgrading is not immediately possible, ensure that any files loaded via CookieJar.load() are sanitized to prevent loading attacker-controlled data. Patch status is not explicitly stated beyond the version fix; check the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T19:38:31.618Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1f348ce29bf47b50fa1feb
Added to database: 6/2/2026, 7:52:44 PM
Last enriched: 6/2/2026, 8:04:51 PM
Last updated: 6/3/2026, 5:08:38 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.