CVE-2026-21441

CWE-40911 documents8 sources

Severity

8.9HIGH

EPSS

0.0%

top 92.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Urllib3 Urllib3 Urllib3

Timeline

PublishedJan 7

Latest updateFeb 4

Description

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in ve…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Packages4 packages

▶NVDpython/urllib31.22 — 2.6.3

▶Debianpython-urllib3< 1.26.5-1~exp1+deb11u3+3

▶PyPIurllib31.22 — 2.6.3

▶CVEListV5urllib3/urllib3>= 1.22, < 2.6.3

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)↗2026-01-07

▶

OSV

Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)↗2026-01-07

▶

OSV

CVE-2026-21441: urllib3 is an HTTP client library for Python↗2026-01-07

▶

CVEList

urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)↗2026-01-07

▶

📋Vendor Advisories

Ubuntu

pip vulnerabilities↗2026-02-04

▶

Ubuntu

urllib3 regression↗2026-01-19

▶

Ubuntu

urllib3 vulnerability↗2026-01-12

▶

Red Hat

urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)↗2026-01-07

▶

Debian

CVE-2026-21441: python-urllib3 - urllib3 is an HTTP client library for Python. urllib3's streaming API is designe...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-21441 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶