Skip to content

fix: urllib3 2.7.0 compatibility — CVE-2026-44431 and CVE-2026-44432 (closes #10350)#10408

Draft
sseshachala wants to merge 1 commit into
aws:v2from
sseshachala:fix/issue-10350
Draft

fix: urllib3 2.7.0 compatibility — CVE-2026-44431 and CVE-2026-44432 (closes #10350)#10408
sseshachala wants to merge 1 commit into
aws:v2from
sseshachala:fix/issue-10350

Conversation

@sseshachala

@sseshachala sseshachala commented Jun 13, 2026

Copy link
Copy Markdown

Fixes #10350

This fix was implemented autonomously by Conduct AI — an open-source platform that turns AI agents into reusable team automations via YAML playbooks.

Want Conduct AI to automate fixes in your repo too? Get started free →

@sseshachala sseshachala force-pushed the fix/issue-10350 branch 3 times, most recently from 8a591c3 to fe36788 Compare June 13, 2026 21:16
fix: bump urllib3 upper bound to <=2.7.0 for CVE-2026-44431/CVE-2026-…
12bc135 
…44432 (aws#10350)

urllib3 2.7.0 compatibility — CVE-2026-44431 and CVE-2026-44432

- Updated urllib3 constraint in pyproject.toml from <=2.6.3 to <=2.7.0
- Updated all four download-deps lock files to pin urllib3==2.7.0 with
  correct SHA256 hashes from PyPI (whl and sdist)
- Added changelog entry under .changes/next-release/urllib3-270-cve.json

CVE-2026-44431 (CVSS 8.2): sensitive headers not stripped on cross-origin
redirects when using ProxyManager API path
CVE-2026-44432 (CVSS 8.9): decompression bomb via Brotli streaming API

Fixes aws#10350
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sseshachala