๐Ÿ” CVE Alert

CVE-2026-21441

HIGH 7.5

urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

CWE CWE-409
Vendor urllib3
Product urllib3
Published Jan 7, 2026
Last Updated Jun 30, 2026
Stay Ahead of the Next One

Get instant alerts for urllib3 urllib3

Be the first to know when new high vulnerabilities affecting urllib3 urllib3 are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

urllib3 / urllib3
>= 1.22, < 2.6.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99 github.com: https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b lists.debian.org: https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-21441 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2427726 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21441.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2911 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:28043 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1485 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2765 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2764 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2760 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1240 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1224 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1226 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1803 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1792 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1791 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1676 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1734 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1735 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1546 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1717 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1712 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1957 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1706 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1704 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1619 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1239 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1089 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1088 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1726 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1086 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1254 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2728 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2723 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2717 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2718 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1618 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1693 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1674 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1729 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1087 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1241 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1805 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1793 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1794 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2500 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2256 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2900 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3444 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3461 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3462 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:25127 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:8151 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:4466 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:4467 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1599 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1609 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1596 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3960 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:33154 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1652 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3406 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1736 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:10184 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3782 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2695 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2106 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:19712 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3713 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2456 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3869 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3874 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3884 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1730 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:4185 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:4215 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1942 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2681 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2762 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1504 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:6287 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:8500 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:6292 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:14877 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:8501 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2924 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2926 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2925 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2919 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2137 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:4271 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3296 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2144 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2139 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2126 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:5459 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:2563 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:17456 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:17457 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:17460 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:17461 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:17462 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:17463 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1038 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1166 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:0981 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1176 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1041 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1168 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:0990 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:1042 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:28441