PatchSiren cyber security CVE debrief
CVE-2026-47157 subzeroid CVE debrief
CVE-2026-47157 is a vulnerability in the aiograpi library, which is an asynchronous Instagram API for Python. Versions before 0.9.10 of aiograpi accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. This allowed an attacker to send challenge handling requests outside the intended Instagram host with the client's existing session headers if they could influence a challenge response. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM.
- Vendor
- subzeroid
- Product
- aiograpi
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Developers using the aiograpi library in their applications, especially those handling Instagram API interactions, should be aware of this vulnerability. Upgrading to version 0.9.10 or later of aiograpi will mitigate this issue.
Technical summary
The aiograpi library did not properly validate server-supplied signup challenge paths before using them to build request URLs. This could allow an attacker to redirect challenge handling requests outside the intended Instagram API host, potentially leading to unauthorized actions using a client's session.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to aiograpi version 0.9.10 or later to ensure challenge paths are validated before use.
- Review and monitor Instagram API interactions for any suspicious activity.
Evidence notes
The CVE record and NVD detail provide official information about this vulnerability. Additional references include commits, pull requests, and advisories from the aiograpi GitHub repository.
Official resources
CVE-2026-47157 was published on 2026-06-11T18:16:26.237Z and modified on 2026-06-11T21:02:34.917Z.