Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.
Published: 2026-06-02
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AIOHTTP versions older than 3.14.0 allow a vulnerability where cookies supplied through the per‑request "cookies" parameter are transmitted after following a cross‑origin HTTP redirect. Attackers who can influence the redirect URL can therefore receive the requester's sensitive cookie data in a new origin, leaking confidential information. This flaw is classified as CWE‑201 and CWE‑346, indicating that output redirection is improperly controlled, leading to unintended information disclosure.

Affected Systems

The issue affects the aio‑libs AIOHTTP framework for Python and asyncio. All releases prior to version 3.14.0 are vulnerable. This includes both client and server components that accept per‑request cookie parameters.

Risk and Exploitability

The CVSS base score of 6.6 indicates a medium severity of confidentiality compromise. EPSS data shows a likelihood of exploitation of less than 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting low observed exploitation. However, if an application relies on per‑request cookies and processes redirects, an attacker who can instruct the client to redirect to a malicious domain could steal cookies. The simplest attack vector involves instructing the AIOHTTP client to perform a redirect to an attacker‑controlled host; no local code execution is required.

Generated by OpenCVE AI on June 4, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aio‑libs AIOHTTP to version 3.14.0 or later to fix the per‑request cookie redirect issue.
  • If an upgrade cannot be performed immediately, replace the per‑request "cookies" parameter with a plain "Cookie" header in the "headers" dictionary, which is not susceptible to this redirect flaw.
  • Audit application code to ensure it does not unintentionally force redirects to untrusted external origins, and consider disabling automatic redirects if not needed.

Generated by OpenCVE AI on June 4, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hg6j-4rv6-33pg AIOHTTP is vulnerable to cross-origin redirect with per-request cookies
History

Fri, 05 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Aiohttp
Aiohttp aiohttp
CPEs cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Vendors & Products Aiohttp
Aiohttp aiohttp
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-201
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.
Title AIOHTTP vulnerable to cross-origin redirect with per-request cookies
Weaknesses CWE-346
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Aio-libs Aiohttp
Aiohttp Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T12:48:54.358Z

Reserved: 2026-05-18T23:03:37.229Z

Link: CVE-2026-47265

cve-icon Vulnrichment

Updated: 2026-06-03T12:48:50.920Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-02T20:16:37.903

Modified: 2026-06-05T13:39:20.167

Link: CVE-2026-47265

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-02T18:32:50Z

Links: CVE-2026-47265 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T13:30:06Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data

  • CWE-346

    Origin Validation Error