CVE-2026-54274: aiohttp: Incomplete websocket frame payloads bypass memory limits

June 15, 2026

If an attacker sends large incomplete websocket frame payloads, it may be possible to bypass the usual size limits on memory use.

References

github.com/advisories/GHSA-xcgm-r5h9-7989
github.com/aio-libs/aiohttp/security/advisories/GHSA-xcgm-r5h9-7989
nvd.nist.gov/vuln/detail/CVE-2026-54274

Code Behaviors & Features

Detect and mitigate CVE-2026-54274 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →