CVE-2026-34520 - Vulnerability Details

- AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.

Published: 2026-04-01

Score: 2.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in AIOHTTP's default C parser allows the inclusion of null bytes and control characters in response header values, enabling header injection and potential security bypass. This improper handling of header data aligns with CWE‑113 (HTTP Response Splitting) and CWE‑1286 (Control characters in header values), and can lead to protocol manipulation or unintended response behavior.

Affected Systems

AIOHTTP releases prior to version 3.13.4 are affected when using the default C parser. This applies to all installations that rely on the C based parser for HTTP response parsing.

Risk and Exploitability

With a CVSS score of 2.7, the vulnerability carries a low impact assessment and no publicly available EPSS data suggests widespread exploitation. Attackers could remotely craft responses containing null or control characters, but success relies on the vulnerable parser and does not typically lead to high‑severity outcomes unless combined with other weaknesses.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aio-libs

aiohttp

affected

Version	Status	Constraints
`< 3.13.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Aio-libs

Aiohttp

100%

Version	Status	Scheme	Platform
`[0,3.13.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade aiohttp to version 3.13.4 or later
If an upgrade is not immediately possible, validate and sanitize all HTTP response header values before processing to eliminate null bytes and control characters

Generated by OpenCVE AI on April 2, 2026 at 02:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-63hf-3vf5-4wqf	AIOHTTP's C parser (llhttp) accepts null bytes and control characters in response header values - header injection/security bypass

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf
https://nvd.nist.gov/vuln/detail/CVE-2026-34520
https://www.cve.org/CVERecord?id=CVE-2026-34520

History

Thu, 16 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aiohttp Aiohttp aiohttp
CPEs		cpe:2.3:a:aiohttp:aiohttp::::::::
Vendors & Products		Aiohttp Aiohttp aiohttp

Sat, 04 Apr 2026 05:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}`

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aio-libs Aio-libs aiohttp
Vendors & Products		Aio-libs Aio-libs aiohttp

Thu, 02 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1286
References		https://nvd.nist.gov/vuln/detail/CVE-2026-34520 https://www.cve.org/CVERecord?id=CVE-2026-34520
Metrics	threat_severity `None`	cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}` threat_severity `Low`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
Title		AIOHTTP: C parser (llhttp) accepts null bytes and control characters in response header values - header injection / security bypass
Weaknesses		CWE-113
References		https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4 https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4 https://github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqf
Metrics		cvssV4_0 `{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}`

Subscriptions

Aio-libs Aiohttp

Aiohttp Aiohttp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-01T20:27:48.350Z

Updated: 2026-04-04T03:13:48.418Z

Reserved: 2026-03-30T16:03:31.047Z

Link: CVE-2026-34520

Vulnrichment

Updated: 2026-04-04T03:13:43.374Z

NVD

Status : Analyzed

Published: 2026-04-01T21:17:00.333

Modified: 2026-04-16T16:24:37.047

Link: CVE-2026-34520

Redhat

Severity : Low

Publid Date: 2026-04-01T20:27:48Z

Links: CVE-2026-34520 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-02T20:16:39Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object