CVE-2026-54280— AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-54280
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AIOHTTP: Payload Response Resources Are Not Closed After Mid-Body Disconnect
Source: NVD (National Vulnerability Database)
Vulnerability Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
不恰当的资源关闭或释放
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-54280
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-54280
请登录查看更多情报信息。
Other References for CVE-2026-54280 (2)
Same Patch Batch · aio-libs · 2026-06-22 · 9 CVEs total
| CVE-2026-54274 | AIOHTTP: Incomplete websocket frame payloads bypass memory limits | |
| CVE-2026-54277 | AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented Lines | |
| CVE-2026-54273 | AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit | |
| CVE-2026-54278 | AIOHTTP: Unread Compressed Request Bodies Bypass client_max_size During Cleanup | |
| CVE-2026-54279 | AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence | |
| CVE-2026-54275 | AIOHTTP: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections | |
| CVE-2026-54276 | AIOHTTP: DigestAuthMiddleware Applies Credentials to Cross-Origin Redirect Challenges | |
| CVE-2026-50269 | AIOHTTP: CRLF injection in multipart headers |
IV. Related Vulnerabilities
Same product: aiohttp
- CVE-2026-54273
AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit - CVE-2026-54278
AIOHTTP: Unread Compressed Request Bodies Bypass client_max_ - CVE-2026-54277
AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented - CVE-2026-54276
AIOHTTP: DigestAuthMiddleware Applies Credentials to Cross-O - CVE-2026-54275
AIOHTTP: TLS Server Hostname Override Is Ignored When Reusin
Same vendor: aio-libs
- CVE-2026-54273
AIOHTTP: HTTP/1 Pipelined Requests Queue Without Limit - CVE-2026-54278
AIOHTTP: Unread Compressed Request Bodies Bypass client_max_ - CVE-2026-54277
AIOHTTP: C HTTP Parser Bypasses max_line_size for Fragmented - CVE-2026-54276
AIOHTTP: DigestAuthMiddleware Applies Credentials to Cross-O - CVE-2026-54275
AIOHTTP: TLS Server Hostname Override Is Ignored When Reusin
Same weakness: CWE-404
- CVE-2026-11317
Rockwell Automation Logix 5370 and 5570 Controllers Vulnerab - CVE-2026-45174
Idira Endpoint Privilege Manager Linux Agent: Potential bypa - CVE-2026-47213
BoxLite: Timeout Bypass Vulnerability - CVE-2026-10775
sgl-project SGLang Cache data_hash denial of service - CVE-2026-10295
SourceCodester Customer Review App review_app.py get_all_rev
V. Comments for CVE-2026-54280
No comments yet