CVE-2026-44432

HIGH
Published May 13, 2026 Modified May 14, 2026 CWE-409

Description

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.

CVSS v3.1 Score

7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS — Exploit Prediction

0.0002
Probability of exploitation
0.05%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-409 CWE-409

Affected Products

Vendor Product
python urllib3

References

Frequently Asked Questions

What is CVE-2026-44432? +
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0. It has a CVSS v3.1 base score of 7.5 (HIGH).
How severe is CVE-2026-44432? +
CVE-2026-44432 has a CVSS v3.1 score of 7.5 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching. The EPSS score is 0.0002, placing it in the 0th percentile for exploitation probability.
What products are affected by CVE-2026-44432? +
CVE-2026-44432 affects products from python, specifically: urllib3. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2026-44432? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-43970

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory …
CVE-2025-66019

pypdf is a free and open-source pure-python PDF library. Prior to version 6.4.0, an attacker who uses this vulnerability can …
CVE-2024-43499 7.5

.NET and Visual Studio Denial of Service Vulnerability
CVE-2025-62708 7.5

pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can …
CVE-2025-58057 7.5

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In …
CVE-2024-3572 7.5

The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-44432 — free, no signup required.

Start Free Scan