AIOHTTP <3.14: CookieJar.load() RCE via untrusted input
CVE-2026-34993 Published on June 2, 2026

AIOHTTP Vulnerable to Deserialization of Untrusted Data
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading.

NVD

Vulnerability Analysis

CVE-2026-34993 can be exploited with local system access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and a small impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
HIGH
Availability Impact:
LOW

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2026-34993 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Affected Versions

aio-libs aiohttp Version < 3.14.0 is affected by CVE-2026-34993

Exploit Probability

EPSS
0.12%
Percentile
1.86%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.