Cyber Resilience

CVE-2026-44432

HighUpdated

Published: 13 May 2026

Published
13 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 47.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44432 is a high-severity Data Amplification (CWE-409) vulnerability in Python Urllib3. Its CVSS base score is 8.9 (High).

Operationally, ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library…

more

or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21441Same product: Python Urllib3
CVE-2026-32274Same vendor: Python
CVE-2026-5271Same vendor: Python
CVE-2026-31900Same vendor: Python
CVE-2026-25990Same vendor: Python
CVE-2026-40192Same vendor: Python
CVE-2026-22870Shared CWE-409
CVE-2026-43970Shared CWE-409
CVE-2026-22776Shared CWE-409
CVE-2025-30153Shared CWE-409

Affected Assets

python
urllib3
2.6.0 — 2.7.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-409

Limits effects of data amplification from compressed or malicious inputs.

References