CVE-2026-54280 | AIOHTTP is an asynchronous HTTP client/server framework for … | CVSS 1.7 LOW

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, payload resources are not closed correctly when a client disconnects in the middle of a write. If a payload is using an open file or similar limited resource, then an attacker may be able to cause resource starvation temporarily until garbage collection or similar closes the file. This vulnerability is fixed in 3.14.1.

Metadata

CVE ID: CVE-2026-54280
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-12 17:13 UTC
Published: 2026-06-22 16:40 UTC
Last updated: 2026-06-22 18:18 UTC
Primary CWE: CWE-404
CWE-404: Improper Resource Shutdown or Release
Vendor / Product: aio-libs / aiohttp
Sources: cve.org · NVD

Severity & Metrics

1.7 LOW CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
aio-libs	aiohttp	—	< 3.14.1

Weakness (CWE)

CWE	Source	Description
CWE-404	cna	CWE-404: Improper Resource Shutdown or Release

CVSS scores (1)

Score	Severity	Version	Source	Vector
1.7	LOW	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References (2)

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-9x8q-7h8h-wcw9
https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587 https://github.com/aio-libs/aiohttp/commit/a762eda5242f6490d6ba667533193f8b473ad587