SB2026042605 - Multiple vulnerabilities in aiohttp
Published: April 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-34525)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass a security check and access a privileged sub application.
The vulnerability exists due to inconsistent interpretation of HTTP requests in Host header handling when processing requests with multiple Host headers through a reverse proxy. A remote attacker can send a specially crafted request with duplicate Host headers to bypass a security check and access a privileged sub application.
Exploitation is theoretically possible when a reverse proxy applies security rules based on the target Host and the application uses Application.add_domain().
2) HTTP response splitting (CVE-ID: CVE-2026-34520)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security controls.
The vulnerability exists due to improper neutralization of control characters in HTTP response headers in the C parser (llhttp) when processing response header values. A remote attacker can send specially crafted header values to bypass security controls.
The issue can cause header values to be interpreted differently than expected by application logic or intermediary components such as reverse proxies.
3) HTTP response splitting (CVE-ID: CVE-2026-34519)
CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject extra headers into an HTTP response.
The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in the Response reason parameter when creating a response with untrusted reason data. A remote attacker can supply a crafted reason value containing carriage return characters to inject extra headers into an HTTP response.
The issue is exploitable only if an application uses untrusted data in the response reason parameter.
4) Information disclosure (CVE-ID: CVE-2026-34518)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in redirect handling when following redirects to a different origin. A remote attacker can trigger a cross-origin redirect to disclose sensitive information.
Cookie and Proxy-Authorization headers are retained while the Authorization header is dropped during the redirect.
5) Resource exhaustion (CVE-ID: CVE-2026-34517)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in Request.post() when processing specially crafted multipart form fields. A remote attacker can send a specially crafted multipart request to cause a denial of service.
The issue affects non-file multipart fields that are read into memory before the client_max_size check is enforced.
6) Input validation error (CVE-ID: CVE-2026-34516)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in multipart header processing when parsing a response with an excessive number of multipart headers. A remote attacker can send a specially crafted response to cause a denial of service.
Other restrictions in place limit the impact of this vulnerability.
7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-34515)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to server-side request forgery in the static resource handler on Windows when handling requests for static resources that reference a UNC path. A remote attacker can supply a crafted NTLMv2 remote path to disclose sensitive information.
This issue can expose NTLMv2 hash material and may also allow reading a local file on Windows systems.
8) CRLF injection (CVE-ID: CVE-2026-34514)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject extra headers into a multipart request.
The vulnerability exists due to improper neutralization of carriage return and line feed characters in multipart part content type header construction when constructing a multipart request with an attacker-controlled content_type parameter. A remote attacker can supply a crafted content_type value to inject extra headers into a multipart request.
The issue occurs if an application uses untrusted data for the multipart content_type parameter while constructing a request.
9) Resource exhaustion (CVE-ID: CVE-2026-34513)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in TCPConnector DNS cache when handling requests to a very large number of hosts. A remote attacker can cause an application to make requests to many different hosts to cause a denial of service.
10) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-22815)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in header/trailer handling when processing an attacker-controlled request or response. A remote attacker can send a specially crafted request or response to cause a denial of service.
Remediation
Install update from vendor's website.
References
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-c427-h43c-vf67
- https://github.com/advisories/GHSA-c427-h43c-vf67
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf
- https://github.com/advisories/GHSA-63hf-3vf5-4wqf
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w
- https://github.com/advisories/GHSA-mwh4-6h8g-pg8w
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9
- https://github.com/advisories/GHSA-966j-vmvw-g2g9
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-3wq7-rqq7-wx6j
- https://github.com/advisories/GHSA-3wq7-rqq7-wx6j
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m5qp-6w8w-w647
- https://github.com/advisories/GHSA-m5qp-6w8w-w647
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-p998-jp59-783m
- https://github.com/advisories/GHSA-p998-jp59-783m
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5
- https://github.com/advisories/GHSA-2vrm-gr82-f7m5
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92
- https://github.com/advisories/GHSA-hcc4-c3v8-rx92
- https://github.com/aio-libs/aiohttp/security/advisories/GHSA-w2fm-2cpv-w7v5
- https://github.com/advisories/GHSA-w2fm-2cpv-w7v5