PyPI: aiohttp
CVE-2026-34515
Safety vulnerability ID: SFTY-20260401-43572
Safety legacy ID: pyup.io-91358
Affected versions of the aiohttp package are vulnerable to Server-Side Request Forgery (SSRF) and Information Disclosure due to insufficient path validation in the static resource handler on Windows. The static file serving component fails to properly neutralise UNC path sequences, allowing crafted requests to trigger outbound connections to attacker-controlled SMB servers and leak NTLMv2 credential hashes. An attacker can exploit this by sending a specially crafted request that references a remote UNC path, exposing hashed user credentials and enabling the attacker to read local files on the host system.
Overview
AIOHTTP affected by UNC SSRF/NTLMv2 Credential Theft/Local File Read in static resource handler on Windows
Advisory
Affected versions of the aiohttp package are vulnerable to Server-Side Request Forgery (SSRF) and Information Disclosure due to insufficient path validation in the static resource handler on Windows. The static file serving component fails to properly neutralise UNC path sequences, allowing crafted requests to trigger outbound connections to attacker-controlled SMB servers and leak NTLMv2 credential hashes. An attacker can exploit this by sending a specially crafted request that references a remote UNC path, exposing hashed user credentials and enabling the attacker to read local files on the host system.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260401-43572/CVE-2026-34515
- https://data.safetycli.com/changelogs/aiohttp/
- https://github.com/advisories/GHSA-p998-jp59-783m
- https://pypi.org/project/aiohttp
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m
- https://github.com/aio-libs/aiohttp/commit/0ae2aa076c84573df83fc1fdc39eec0f5862fe3d
- https://nvd.nist.gov/vuln/detail/CVE-2026-34515
- https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
- https://github.com/advisories/GHSA-p998-jp59-783m
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more