Main Vulnerability Database Vulnerabilities #VU127948

HTTP response splitting in aiohttp - CVE-2026-34519

Published: April 26, 2026

Vulnerability identifier: #VU127948

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34519

CWE-ID: CWE-113

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: aio-libs

Affected software:
aiohttp

Detailed vulnerability description

The vulnerability allows a remote attacker to inject extra headers into an HTTP response.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in the Response reason parameter when creating a response with untrusted reason data. A remote attacker can supply a crafted reason value containing carriage return characters to inject extra headers into an HTTP response.

The issue is exploitable only if an application uses untrusted data in the response reason parameter.

How to mitigate CVE-2026-34519

Install security update from vendor's website.

HTTP response splitting in aiohttp - CVE-2026-34519

Detailed vulnerability description

How to mitigate CVE-2026-34519

Sources

Please verify you're human