## CVE-2026-44432: urllib3 Streaming API Flaws Allow Decompression-Bomb Attacks Against Python Clients
A pair of high-severity decompression-bomb vulnerabilities have been identified in urllib3 versions 2.6.0 through 2.6.x (prior to 2.7.0), exposing applications that rely on the library's streaming API to resource-exhaustion attacks. Tracked as CVE-2026-44432 with a CVSS v4.0 score of 8.9, the flaws allow a malicious server to force a client into fully decompressing a highly compressed payload, causing excessive CPU and memory consumption.

The first vulnerability specifically targets Brotli-encoded responses, triggering uncontrolled decompression on a second `read()` call. The second flaw is broader, affecting any compression algorithm when `HTTPResponse.drain_conn()` is invoked after partial decompression has already begun. Both attack vectors exploit the same code path in urllib3 2.6.3 conda installations previously linked to CVE-2026-44431. The CVSS vector indicates network-reachable attacks with low complexity, meaning any server a vulnerable client contacts could trigger the flaw without requiring special privileges or user interaction.

The vulnerability raises significant risk for applications that use urllib3 to fetch content from untrusted or external sources. Automated clients, build systems, and services that stream HTTP responses could be weaponized into denial-of-service agents against themselves. Developers using affected versions are advised to upgrade to urllib3 2.7.0 or later, where the decompression handling has been corrected. Given the library's widespread use across the Python ecosystem, the exposure is considered broad, and patching timelines will be a critical factor in determining whether widespread exploitation emerges.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-44432, decompression-bomb, urllib3, Brotli, Python
- **Credibility**: unverified
- **Published**: 2026-05-12 17:48:29
- **ID**: 82302
- **URL**: https://whisperx.ai/en/intel/82302