Bug 2491474 (CVE-2026-54276)

Summary: CVE-2026-54276 aiohttp: aiohttp: Information disclosure via DigestAuthMiddleware after cross-origin redirect
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adudiak, alinfoot, anpicker, anthomas, bbrownin, bdettelb, bparees, brasmith, cochase, dfreiber, doconnor, dranck, drow, dschmidt, dtrifiro, ehelms, erezende, ggainey, gtanzill, hasun, ilpinto, jburrell, jbuscemi, jdobes, jfula, jkoehler, jlanda, jmitchel, jowilson, jsamir, juwatts, jwong, kaycoth, kshier, lichen, ljawale, lphiri, ltomasbo, luizcosta, mbarnett, mhulan, nmoumoul, nweather, nyancey, omaciel, ometelka, orabin, osousa, pakotvan, pbohmill, pcreech, ptisnovs, rbobbitt, rbryant, rchan, rjohnson, simaishi, smallamp, stcannon, sthirugn, syedriko, teagle, tmalecek, ttakamiy, vkumar, weaton, xdharmai, xialiu, yguenane, ykashtan, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. The DigestAuthMiddleware component can send an authentication response after following a cross-origin redirect. This could allow a remote attacker, in conjunction with an open redirect vulnerability on the target domain, to potentially extract a user's credentials if weak cryptography is used or if there is password reuse. This vulnerability primarily leads to information disclosure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 18:03:32 UTC 
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, DigestAuthMiddleware can send an authentication response after following a cross-origin redirect. This likely requires an open redirect vulnerability or similar on the target domain for an attacker to be able to execute. Further, the attacker is only receiving the digest, so should only be able to extract the user's credentials if the cryptography is weak or there is some kind of password reuse. This vulnerability is fixed in 3.14.1.