Vulnerability-Lookup

RHSA-2026:17457

Vulnerability from csaf_redhat - Published: 2026-05-14 06:44 - Updated: 2026-06-10 21:44

Summary

Red Hat Security Advisory: zero trust workload identity manager for Red Hat OpenShift 1.0.1

Severity

Important

Notes

Topic: zero trust workload identity manager for Red Hat OpenShift 1.0.1

Details: The Zero Trust Workload Identity Manager (ZTWIM) is a day-2 operator. The operator manages lifecycle of operand components from SPIRE project. The goal of ZTWIM is to provide secure, verifiable workload identities for workloads in multi-cloud environments. The operand components automate identity issuance, rotation, and verification, enhancing the zero-trust security model while eliminating static credentials. The current release of zero trust workload identity manager for Red Hat OpenShift is for Technology Preview.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64	—	Vendor Fix fix
Unresolved product id: Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64	—	Vendor Fix fix
Unresolved product id: Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le	—	Vendor Fix fix
Unresolved product id: Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x	—	Vendor Fix fix

Threats

Impact Important

References

11 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:17457	self
https://access.redhat.com/security/cve/CVE-2026-21441	external
https://access.redhat.com/security/updates/classi…	external
https://docs.redhat.com/en/documentation/openshif…	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-21441	self
https://bugzilla.redhat.com/show_bug.cgi?id=2427726	external
https://www.cve.org/CVERecord?id=CVE-2026-21441	external
https://nvd.nist.gov/vuln/detail/CVE-2026-21441	external
https://github.com/urllib3/urllib3/commit/8864ac4…	external
https://github.com/urllib3/urllib3/security/advis…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "zero trust workload identity manager for Red Hat OpenShift 1.0.1",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Zero Trust Workload Identity Manager (ZTWIM) is a day-2 operator. The operator manages lifecycle of operand components from SPIRE project. The  goal of ZTWIM is to provide secure, verifiable workload identities for workloads in multi-cloud environments. The operand components automate identity issuance, rotation, and verification, enhancing the zero-trust security model while eliminating static credentials. The current release of zero trust workload identity manager for Red Hat OpenShift is for Technology Preview.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:17457",
        "url": "https://access.redhat.com/errata/RHSA-2026:17457"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-21441",
        "url": "https://access.redhat.com/security/cve/CVE-2026-21441"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/security_and_compliance/zero-trust-workload-identity-manager",
        "url": "https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/security_and_compliance/zero-trust-workload-identity-manager"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_17457.json"
      }
    ],
    "title": "Red Hat Security Advisory: zero trust workload identity manager for Red Hat OpenShift 1.0.1",
    "tracking": {
      "current_release_date": "2026-06-10T21:44:19+00:00",
      "generator": {
        "date": "2026-06-10T21:44:19+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.2"
        }
      },
      "id": "RHSA-2026:17457",
      "initial_release_date": "2026-05-14T06:44:19+00:00",
      "revision_history": [
        {
          "date": "2026-05-14T06:44:19+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-14T06:44:21+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-10T21:44:19+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Zero Trust Workload Identity Manager 1",
                "product": {
                  "name": "Zero Trust Workload Identity Manager 1",
                  "product_id": "Zero Trust Workload Identity Manager 1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:zero_trust_workload_identity_manager:1.0::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Zero Trust Workload Identity Manager"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64",
                "product": {
                  "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64",
                  "product_id": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/spiffe-spire-agent-rhel9@sha256%3A402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e?arch=amd64\u0026repository_url=registry.redhat.io/zero-trust-workload-identity-manager\u0026tag=1778248894"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x",
                "product": {
                  "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x",
                  "product_id": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/spiffe-spire-agent-rhel9@sha256%3Af86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5?arch=s390x\u0026repository_url=registry.redhat.io/zero-trust-workload-identity-manager\u0026tag=1778248894"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le",
                "product": {
                  "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le",
                  "product_id": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/spiffe-spire-agent-rhel9@sha256%3Aaea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a?arch=ppc64le\u0026repository_url=registry.redhat.io/zero-trust-workload-identity-manager\u0026tag=1778248894"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64",
                "product": {
                  "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64",
                  "product_id": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/spiffe-spire-agent-rhel9@sha256%3A79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333?arch=arm64\u0026repository_url=registry.redhat.io/zero-trust-workload-identity-manager\u0026tag=1778248894"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64 as a component of Zero Trust Workload Identity Manager 1",
          "product_id": "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64"
        },
        "product_reference": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64",
        "relates_to_product_reference": "Zero Trust Workload Identity Manager 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64 as a component of Zero Trust Workload Identity Manager 1",
          "product_id": "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64"
        },
        "product_reference": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64",
        "relates_to_product_reference": "Zero Trust Workload Identity Manager 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le as a component of Zero Trust Workload Identity Manager 1",
          "product_id": "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le"
        },
        "product_reference": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le",
        "relates_to_product_reference": "Zero Trust Workload Identity Manager 1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x as a component of Zero Trust Workload Identity Manager 1",
          "product_id": "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x"
        },
        "product_reference": "registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x",
        "relates_to_product_reference": "Zero Trust Workload Identity Manager 1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-21441",
      "cwe": {
        "id": "CWE-409",
        "name": "Improper Handling of Highly Compressed Data (Data Amplification)"
      },
      "discovery_date": "2026-01-07T23:01:59.422078+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2427726"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "urllib3 is an HTTP client library for Python. urllib3\u0027s streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64",
          "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64",
          "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le",
          "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-21441"
        },
        {
          "category": "external",
          "summary": "RHBZ#2427726",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427726"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-21441",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-21441"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21441"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b",
          "url": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"
        },
        {
          "category": "external",
          "summary": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99",
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99"
        }
      ],
      "release_date": "2026-01-07T22:09:01.936000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-14T06:44:19+00:00",
          "details": "Before installing the operator, make sure all previously released errata relevant to your system have been applied.\n\nThe steps to apply the upgraded images will differ depending on the installation plan approval policy that will be used\nwhile installing thezero trust workload identity manager for Red Hat OpenShift.\n\n- If the approval policy is set to `Automatic`, then the Operator will be upgraded automatically when there is a\nnew version of the Operator. No further action is required to upgrade. This is the default setting.\n\n- If you changed the approval policy to `Manual`, then you must manually approve the upgrade to the Operator.",
          "product_ids": [
            "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64",
            "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64",
            "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le",
            "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:17457"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:402eabe171ba8129489ddd12eccea03e475da226fcd230eba5bfdeff3d73dc8e_amd64",
            "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:79a3eb4b2ec11831c61aa0efbaaf3486ffed4546757dfbc4c541e3632a4c4333_arm64",
            "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:aea5bbed8fe42f9e9440578752bab1d2a28237df91bbaf8cacd1c7d8317ce07a_ppc64le",
            "Zero Trust Workload Identity Manager 1:registry.redhat.io/zero-trust-workload-identity-manager/spiffe-spire-agent-rhel9@sha256:f86fd4e6ef238e3be6d6ccc8c2787db92c9f9a83220c7d1038be10818e2a91c5_s390x"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "urllib3: urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)"
    }
  ]
}

CVE-2026-21441 (GCVE-0-2026-21441)

Vulnerability from cvelistv5 – Published: 2026-01-07 22:09 – Updated: 2026-01-23 09:07

Title

urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)

Summary

Severity

8.9 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/urllib3/urllib3/security/advis…	x_refsource_CONFIRM
https://github.com/urllib3/urllib3/commit/8864ac4…	x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2026…

Impacted products

1 product

Vendor	Product	Version
urllib3	urllib3	Affected: >= 1.22, < 2.6.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21441",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-08T20:08:04.959214Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-08T20:08:22.320Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-23T09:07:22.785Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "urllib3",
          "vendor": "urllib3",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.22, \u003c 2.6.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "urllib3 is an HTTP client library for Python. urllib3\u0027s streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-409",
              "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-07T22:13:57.482Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/urllib3/urllib3/security/advisories/GHSA-38jv-5279-wg99"
        },
        {
          "name": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/urllib3/urllib3/commit/8864ac407bba8607950025e0979c4c69bc7abc7b"
        }
      ],
      "source": {
        "advisory": "GHSA-38jv-5279-wg99",
        "discovery": "UNKNOWN"
      },
      "title": "urllib3 vulnerable to decompression-bomb safeguard bypass when following HTTP redirects (streaming API)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-21441",
    "datePublished": "2026-01-07T22:09:01.936Z",
    "dateReserved": "2025-12-29T03:00:29.276Z",
    "dateUpdated": "2026-01-23T09:07:22.785Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:17457

CVE-2026-21441 (GCVE-0-2026-21441)

Tags

Sightings

Nomenclature