CVE-2026-54276: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in aio-libs aiohttp
AIOHTTP versions prior to 3.14.1 contain a vulnerability in DigestAuthMiddleware where an authentication response can be sent after following a cross-origin redirect. This may expose sensitive information such as user credentials if an attacker exploits an open redirect on the target domain. The vulnerability is fixed in version 3.14.1.
AI Analysis
Technical Summary
CVE-2026-54276 is an information exposure vulnerability in aio-libs aiohttp's DigestAuthMiddleware prior to version 3.14.1. The middleware can send an authentication response after following a cross-origin redirect, potentially allowing an attacker to obtain the digest authentication response. Exploitation likely requires an open redirect vulnerability on the target domain. The attacker only receives the digest, so credential compromise depends on weak cryptography or password reuse. This issue is resolved in aiohttp 3.14.1.
Potential Impact
An attacker able to exploit this vulnerability could receive digest authentication responses after a cross-origin redirect, potentially exposing user credentials. However, successful exploitation requires an open redirect on the target domain and weak cryptographic protections or password reuse by the user. The impact is limited to information disclosure of authentication data.
Mitigation Recommendations
Upgrade aiohttp to version 3.14.1 or later, where this vulnerability is fixed. No other mitigation is indicated. Patch status is confirmed fixed in 3.14.1.
CVE-2026-54276: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in aio-libs aiohttp
Description
AIOHTTP versions prior to 3.14.1 contain a vulnerability in DigestAuthMiddleware where an authentication response can be sent after following a cross-origin redirect. This may expose sensitive information such as user credentials if an attacker exploits an open redirect on the target domain. The vulnerability is fixed in version 3.14.1.
CVSS v4.0
Score 6.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-54276 is an information exposure vulnerability in aio-libs aiohttp's DigestAuthMiddleware prior to version 3.14.1. The middleware can send an authentication response after following a cross-origin redirect, potentially allowing an attacker to obtain the digest authentication response. Exploitation likely requires an open redirect vulnerability on the target domain. The attacker only receives the digest, so credential compromise depends on weak cryptography or password reuse. This issue is resolved in aiohttp 3.14.1.
Potential Impact
An attacker able to exploit this vulnerability could receive digest authentication responses after a cross-origin redirect, potentially exposing user credentials. However, successful exploitation requires an open redirect on the target domain and weak cryptographic protections or password reuse by the user. The impact is limited to information disclosure of authentication data.
Mitigation Recommendations
Upgrade aiohttp to version 3.14.1 or later, where this vulnerability is fixed. No other mitigation is indicated. Patch status is confirmed fixed in 3.14.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-12T17:13:32.280Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a39735beed863c81e39625d
Added to database: 06/22/2026, 17:39:39 UTC
Last enriched: 06/22/2026, 17:55:38 UTC
Last updated: 06/22/2026, 20:21:58 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.