Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4.
Published: 2026-04-01
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure of authentication credentials via leaked headers
Action: Apply patch
AI Analysis

Impact

The vulnerability causes the aiohttp client to retain Cookie and Proxy-Authorization headers when automatically following a redirect to a different origin, while correctly dropping the Authorization header. Because the cookie and proxy authentication tokens are still sent to the new domain, an attacker who controls that domain can receive credentials originally intended for a different server. This results in the confidential exposure of session data or proxy authorisation, potentially allowing session hijacking or unauthorized proxy use. The weakness is an information exposure (CWE-200) compounded by an improper authentication handling (CWE-497), and the NVD data lists a placeholder CWE indication (NVD-CWE-noinfo) for the vulnerability.

Affected Systems

The aio-libs:aiohttp framework, versions earlier than 3.13.4, is affected. Updating to at least 3.13.4 removes the behaviour that causes the header leakage.

Risk and Exploitability

The stated CVSS score is 2.7, indicating a low‑impact vulnerability. The EPSS score is less than 1%, signifying a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an attacker coaxing the aiohttp client to follow a cross‑origin redirect to a malicious domain; the client will then transmit the retained Cookie and Proxy-Authorization headers to that domain, exposing the credentials. Because the flaw merely leaks headers and requires a redirect, exploitation is limited to environments where the client automatically follows redirects and the attacker can control the redirect target.

Generated by OpenCVE AI on April 17, 2026 at 09:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.13.4 or later.
  • If an upgrade is not immediately possible, configure aiohttp to disable automatic following of redirects or to reject cross‑origin redirects.
  • Monitor application logs or network traffic for unexpected cross‑origin redirects that could indicate exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 09:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-966j-vmvw-g2g9 AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect
History

Thu, 16 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-497
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Low

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4.
Title AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T14:06:07.930Z

Reserved: 2026-03-30T16:03:31.047Z

Link: CVE-2026-34518

cve-icon Vulnrichment

Updated: 2026-04-02T14:06:03.907Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T21:17:00.020

Modified: 2026-04-16T16:35:08.313

Link: CVE-2026-34518

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-01T20:15:22Z

Links: CVE-2026-34518 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses