Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-34993

CVE-2026-34993: AIOHTTP CookieJar RCE Vulnerability

CVE-2026-34993 is a remote code execution flaw in AIOHTTP's CookieJar.load() function that allows attackers to execute arbitrary code via untrusted input. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-34993 Overview

CVE-2026-34993 is an insecure deserialization vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. The flaw exists in the CookieJar.load() method, which used Python's pickle module to deserialize cookie data from disk. When load() is called on attacker-controlled files, a malicious pickle payload can trigger arbitrary code execution under the privileges of the Python process. The issue affects all versions prior to 3.14.0 and is tracked under [CWE-502: Deserialization of Untrusted Data].

Critical Impact

Loading an attacker-controlled cookie file through CookieJar.load() results in arbitrary Python code execution in the application process.

Affected Products

  • AIOHTTP versions prior to 3.14.0
  • Python applications using aiohttp.CookieJar.load() with non-trusted input
  • Downstream libraries embedding AIOHTTP's cookie persistence APIs

Discovery Timeline

  • 2026-06-02 - CVE-2026-34993 published to the National Vulnerability Database (NVD)
  • 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2026-34993

Vulnerability Analysis

The CookieJar class in AIOHTTP provided save() and load() helpers for persisting cookies between sessions. Prior to version 3.14.0, both methods used Python's pickle serialization format. The pickle.load() call executes any callable referenced via the __reduce__ protocol during deserialization. An attacker who can substitute or modify the cookie file on disk can craft a payload that runs shell commands, drops files, or imports arbitrary modules when the application calls CookieJar.load(file_path).

Most deployments invoke load() against files the application itself wrote, which limits real-world exposure. The risk concentrates in scenarios where cookie files are shared, downloaded, restored from backups of untrusted origin, or stored in world-writable locations.

Root Cause

The root cause is unrestricted use of pickle as a persistence format for the cookie store. Pickle is not a safe deserialization mechanism for untrusted input because it allows arbitrary object reconstruction. The previous implementation called the standard unpickler without any class allow-list, giving any pickled opcode the ability to execute Python callables during load.

Attack Vector

Exploitation requires the attacker to control the contents of the file passed to CookieJar.load(). Typical paths include tampering with a writable cookie store, supplying a malicious cookie archive to a tool that imports it, or chaining a separate file-write primitive with a subsequent cookie load. Execution occurs locally in the context of the Python interpreter that calls load().

text
# Patch excerpt - CHANGES/12091.bugfix.rst
Switched aiohttp.CookieJar.save to use JSON format and
aiohttp.CookieJar.load to try JSON first with a fallback to
a restricted pickle unpickler that only allows cookie-related types
(SimpleCookie, Morsel, defaultdict, etc.), preventing
arbitrary code execution via malicious pickle payloads
(CWE-502) -- by YuvalElbar6.

Source: GitHub Commit dcf40f3

Detection Methods for CVE-2026-34993

Indicators of Compromise

  • Cookie persistence files (commonly named cookies.pickle or similar) containing non-standard pickle opcodes such as c__builtin__\nexec or references to os.system, subprocess, or posix.system.
  • Unexpected child processes spawned by Python interpreters shortly after an application start-up routine that calls CookieJar.load().
  • File modification timestamps on cookie stores that do not align with normal application write cycles.

Detection Strategies

  • Inventory Python environments and identify packages pinning aiohttp below 3.14.0 using pip list or SBOM scans.
  • Apply static analysis rules that flag calls to CookieJar.load() with file paths sourced from user input, network downloads, or shared storage.
  • Monitor process telemetry for Python processes invoking shells, network utilities, or interpreters immediately after touching .pickle files.

Monitoring Recommendations

  • Log file integrity events on directories that store AIOHTTP cookie files and alert on writes from non-application identities.
  • Capture command-line and parent-child process relationships for Python workloads to detect post-deserialization execution chains.
  • Correlate package inventory data with vulnerability feeds to track remediation status of AIOHTTP across hosts.

How to Mitigate CVE-2026-34993

Immediate Actions Required

  • Upgrade AIOHTTP to version 3.14.0 or later in all Python environments, virtualenvs, and container images.
  • Audit application code for CookieJar.load() usage and confirm input files originate from trusted, application-controlled paths.
  • Rotate any cookie or session material persisted with the legacy pickle format if integrity cannot be verified.

Patch Information

Version 3.14.0 switches CookieJar.save() to JSON output and modifies CookieJar.load() to attempt JSON first, falling back to a restricted unpickler that only permits cookie-related classes such as SimpleCookie, Morsel, and defaultdict. Review the GitHub Security Advisory GHSA-jg22-mg44-37j8 and the upstream commit dcf40f3 for the full fix.

Workarounds

  • Restrict filesystem permissions on cookie files so only the application service account can read or write them.
  • Sanitize or regenerate cookie files before passing them to CookieJar.load() on older AIOHTTP releases.
  • Replace CookieJar.load() calls with a custom loader that parses cookies from a safe format such as JSON until upgrades are complete.
bash
# Upgrade AIOHTTP to the patched release
python -m pip install --upgrade 'aiohttp>=3.14.0'

# Verify installed version
python -c "import aiohttp; print(aiohttp.__version__)"

# Tighten permissions on persisted cookie files
chmod 600 /var/lib/myapp/cookies.dat
chown appuser:appuser /var/lib/myapp/cookies.dat

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne