CVE-2026-54276
Undergoing Analysis Undergoing Analysis - In Progress
DigestAuth Credential Exposure in AIOHTTP

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. This vulnerability is fixed in 3.14.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54276
EUVD
EUVD-2026-38313
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aio-libs aiohttp to 3.14.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54276 is a vulnerability in the aiohttp library's DigestAuthMiddleware prior to version 3.14.1. The middleware could send an authentication response after following a cross-origin redirect, potentially leaking HTTP Digest authentication credentials to an attacker-controlled domain.

To exploit this, an attacker would need an open redirect or similar vulnerability on the target domain to redirect the client to a malicious domain. The attacker would receive the digest authentication response, which contains a hashed form of the user's credentials.

However, the attacker only obtains the digest, not the plaintext password, unless weak cryptography is used or the user reuses passwords. The vulnerability was fixed in aiohttp version 3.14.1 by scoping credentials to the origin of the first request and preventing digest responses from being sent to different origins unless explicitly allowed.

Impact Analysis

This vulnerability can lead to the leakage of HTTP Digest authentication credentials if an attacker can exploit an open redirect or similar issue on the target domain.

If exploited, an attacker could capture the digest response, potentially allowing them to impersonate the user if weak cryptography or password reuse is involved.

The impact is considered low severity because the attacker does not directly obtain plaintext passwords and must rely on additional weaknesses to fully compromise credentials.

Users can mitigate the risk by upgrading to aiohttp version 3.14.1 or later, which fixes the issue, or by disabling automatic following of redirects.

Detection Guidance

This vulnerability involves DigestAuthMiddleware in aiohttp sending authentication credentials in response to cross-origin redirect challenges. Detection would involve monitoring HTTP Digest authentication responses that occur after cross-origin redirects.

To detect this on your network or system, you can capture and analyze HTTP traffic to identify Digest authentication headers being sent following redirects to different origins.

For example, using command-line tools like tcpdump or Wireshark to capture HTTP traffic and then filtering for Digest authentication headers after redirects could help detect this behavior.

  • Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -w capture.pcap port 80 or port 443
  • Analyze the capture with Wireshark, filtering for HTTP Digest authentication headers and HTTP 3xx redirect responses.
  • Alternatively, use curl with verbose output to manually test endpoints for cross-origin redirects and observe if Digest authentication headers are sent: curl -v --location <URL>
Mitigation Strategies

The primary mitigation is to upgrade aiohttp to version 3.14.1 or later, where the vulnerability is fixed by scoping DigestAuthMiddleware credentials to the origin of the first request.

As a workaround before upgrading, you can disable following redirects in aiohttp clients by setting follow_redirects to false, preventing the middleware from sending credentials after cross-origin redirects.

Additionally, review your application and server configurations to avoid open redirect vulnerabilities that could be exploited in conjunction with this issue.

Compliance Impact

This vulnerability involves the potential leakage of HTTP Digest authentication credentials during cross-origin redirects, which could expose user credentials if exploited.

Such credential leakage could pose risks to data confidentiality and user privacy, which are key concerns in compliance with standards like GDPR and HIPAA.

However, the vulnerability requires an open redirect or similar issue on the target domain to be exploitable, and the attacker only obtains the digest, not plaintext passwords, unless weak cryptography or password reuse is involved.

The issue is fixed in aiohttp version 3.14.1 by scoping credentials to the origin of the first request, preventing unauthorized credential exposure across origins.

Therefore, if unpatched, this vulnerability could increase the risk of unauthorized access to user credentials, potentially impacting compliance with data protection regulations that require safeguarding user authentication data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54276. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart