CVE-2026-34515 Overview
CVE-2026-34515 is an information disclosure vulnerability affecting AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the static resource handler on Windows systems may expose NTLMv2 credentials when processing specially crafted requests containing absolute paths. This vulnerability allows attackers to potentially steal NTLM authentication credentials through UNC path injection.
Critical Impact
Attackers can exploit the static file handler to trigger NTLM authentication to attacker-controlled servers, potentially exposing NTLMv2 hashes that can be cracked offline or relayed for further attacks.
Affected Products
- AIOHTTP versions prior to 3.13.4 running on Windows
- Python applications using AIOHTTP static file serving on Windows platforms
- Web servers utilizing aiohttp.web static resource handlers on Windows
Discovery Timeline
- 2026-04-01 - CVE CVE-2026-34515 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34515
Vulnerability Analysis
This vulnerability is classified under CWE-36 (Absolute Path Traversal). The AIOHTTP static resource handler fails to properly validate user-supplied filenames before processing them. When an attacker provides an absolute path such as a UNC path (//network/share) or a Windows drive path (D:\path), the handler processes these paths without restriction. On Windows systems, accessing a UNC path triggers automatic NTLM authentication, allowing an attacker to capture NTLMv2 hashes by pointing the path to an attacker-controlled SMB server.
The vulnerability is exploitable over the network without any authentication or user interaction required, making it accessible to remote attackers. The primary impact is a complete loss of confidentiality for sensitive authentication credentials.
Root Cause
The root cause lies in the _handle method within aiohttp/web_urldispatcher.py. The static file handler extracts the filename from the request's match info and directly joins it with the configured directory path without first checking whether the supplied filename is an absolute path. This allows attackers to bypass the intended directory restrictions entirely by supplying absolute paths that the operating system will resolve independently of the configured static directory.
Attack Vector
The attack is network-based with low complexity. An attacker crafts an HTTP request to the static file endpoint with a filename parameter containing a UNC path pointing to an attacker-controlled SMB server. When the Windows-based AIOHTTP server attempts to access this path, it automatically sends NTLMv2 authentication credentials to the attacker's server. These captured hashes can then be used for offline password cracking or relay attacks against other services accepting NTLM authentication.
async def _handle(self, request: Request) -> StreamResponse:
filename = request.match_info["filename"]
+ if Path(filename).is_absolute():
+ # filename is an absolute path e.g. //network/share or D:\path
+ # which could be a UNC path leading to NTLM credential theft
+ raise HTTPNotFound()
unresolved_path = self._directory.joinpath(filename)
loop = asyncio.get_running_loop()
return await loop.run_in_executor(
Source: GitHub Commit Update
Detection Methods for CVE-2026-34515
Indicators of Compromise
- HTTP requests to static file endpoints containing UNC paths (e.g., //attacker-server/share)
- Network traffic showing outbound SMB connections (port 445) from web servers to unexpected external hosts
- Log entries showing requests with absolute Windows paths in static file URL parameters
Detection Strategies
- Monitor web application logs for requests containing // or drive letter patterns in static file routes
- Implement network-level detection for unexpected outbound SMB traffic from web servers
- Deploy application firewall rules to block requests containing UNC path patterns in URL parameters
Monitoring Recommendations
- Configure network monitoring to alert on any outbound SMB (port 445/139) connections from AIOHTTP application servers
- Enable verbose logging in AIOHTTP to capture full request paths for forensic analysis
- Implement Security Information and Event Management (SIEM) rules to correlate suspicious static file requests with network anomalies
How to Mitigate CVE-2026-34515
Immediate Actions Required
- Upgrade AIOHTTP to version 3.13.4 or later immediately on all Windows deployments
- Audit all applications using AIOHTTP static file serving for Windows deployment
- Implement network egress filtering to block outbound SMB traffic from web servers
Patch Information
The vulnerability has been patched in AIOHTTP version 3.13.4. The fix adds a validation check in the _handle method that verifies whether the supplied filename is an absolute path using Path(filename).is_absolute(). If an absolute path is detected, the handler now raises an HTTPNotFound exception, preventing the path from being processed.
For detailed patch information, see the GitHub Security Advisory GHSA-p998-jp59-783m and the GitHub Release v3.13.4.
Workarounds
- Deploy a reverse proxy or web application firewall (WAF) in front of AIOHTTP applications to filter requests containing absolute paths
- Restrict network egress from Windows servers running AIOHTTP to prevent outbound SMB connections
- Consider disabling static file serving through AIOHTTP and serving static content through a hardened web server like Nginx
# Example: Block outbound SMB traffic from web server using Windows Firewall
netsh advfirewall firewall add rule name="Block Outbound SMB" dir=out action=block protocol=tcp remoteport=445
netsh advfirewall firewall add rule name="Block Outbound NetBIOS" dir=out action=block protocol=tcp remoteport=139
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
