CVE-2026-54276
aiohttp: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges
Description
### Summary ``DigestAuthMiddleware`` can send an authentication response after following a cross-origin redirect. ### Impact If the client follows a redirect (the default option) to an attacker controlled domain, the attacker may be able to extract the auth digest. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. ### Workaround Disable ``follow_redirects`` if this is a concern. ----- Patch: https://github.com/aio-libs/aiohttp/commit/38d16060037e1bfcd6d677abababa3c2a4bb58fa
How to fix CVE-2026-54276
To remediate CVE-2026-54276, upgrade the affected package to a fixed version below.
- —upgrade to 3.14.1 or later
Is CVE-2026-54276 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-54276.
Affected packages (1)
- from 0, < 3.14.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |