HTTP response splitting in aiohttp - CVE-2026-34520
Published: April 26, 2026
Vulnerability identifier: #VU127947
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-34520
CWE-ID: CWE-113
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: aio-libs
Affected software:
aiohttp
aiohttp
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass security controls.
The vulnerability exists due to improper neutralization of control characters in HTTP response headers in the C parser (llhttp) when processing response header values. A remote attacker can send specially crafted header values to bypass security controls.
The issue can cause header values to be interpreted differently than expected by application logic or intermediary components such as reverse proxies.
How to mitigate CVE-2026-34520
Install security update from vendor's website.