CVE-2026-34515: NTLMv2 Credential Leak via Absolute Path Traversal in aiohttp
Vulnerability ID: CVE-2026-34515
CVSS Score: 6.6
Published: 2026-04-01
The aiohttp asynchronous Python framework, prior to version 3.13.4, handles static resource file resolution unsafely on Windows systems. This flaw allows unauthenticated remote attackers to inject Universal Naming Convention (UNC) paths, bypassing directory restrictions. Exploitation coerces the Windows server to initiate an outbound Server Message Block (SMB) connection, exposing the NTLMv2 service account hash to the attacker.
TL;DR
A path traversal vulnerability in aiohttp's Windows static resource handler allows attackers to inject UNC paths. This triggers outbound SMB connections, exposing NTLMv2 credentials and permitting local file disclosure.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-36, CWE-918
- Attack Vector: Network
- CVSS v4.0 Base Score: 6.6
- Impact: High Confidentiality (Credential Theft)
- Exploit Status: Proof-of-Concept Available
- KEV Status: Not Listed
Affected Systems
- aiohttp deployments on Windows environments utilizing the static resource handler
-
aiohttp: < 3.13.4 (Fixed in:
3.13.4)
Code Analysis
Commit: 0ae2aa0
Fix for absolute path traversal in web_urldispatcher.py static resources
Mitigation Strategies
- Application Patching
- Network Egress Filtering
- Web Application Firewall (WAF) Rules
Remediation Steps:
- Identify all Python environments utilizing aiohttp versions prior to 3.13.4 on Windows hosts.
- Upgrade the aiohttp package to version 3.13.4 via pip or the relevant package manager.
- Configure network egress rules to block outbound TCP port 445 traffic from the affected application servers to untrusted networks.
- Deploy WAF rules to drop HTTP requests containing UNC path indicators (e.g.,
//or\\) targeting static endpoints.
References
Read the full report for CVE-2026-34515 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)