CVE-2026-34515

High

Published: 01 April 2026

Published

01 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0007 20.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34515 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Aiohttp Aiohttp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely patching of the AIOHTTP flaw fixed in version 3.13.4 to prevent path traversal and NTLMv2 path disclosure.

SI-10 Information Input Validation good match

prevent

Prevents absolute path traversal (CWE-36) in the static resource handler by validating user-supplied inputs against allowed paths.

SI-15 Information Output Filtering partial match

prevent

Filters sensitive NTLMv2 remote path information from HTTP responses generated by the static resource handler to limit confidentiality impact.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated SSRF/path traversal issue in a public-facing AIOHTTP web server framework, directly enabling exploitation of an Internet-facing application for information disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.

Deeper analysisAI

CVE-2026-34515 affects AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, specifically versions prior to 3.13.4. On Windows systems, the static resource handler may expose sensitive information about an NTLMv2 remote path. This vulnerability is classified under CWE-36 (Absolute Path Traversal) and CWE-918 (Server-Side Request Forgery), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact.

Unauthenticated attackers with network access can exploit this issue with low complexity and no user interaction required. By targeting the static resource handler, they can trigger the disclosure of NTLMv2 remote path details, potentially revealing internal network paths or credentials-related information that could aid further attacks like lateral movement.

The issue has been addressed in AIOHTTP version 3.13.4, as detailed in the project's security advisory (GHSA-p998-jp59-783m), release notes, and the patching commit. Security practitioners should upgrade to version 3.13.4 or later to mitigate the vulnerability.