Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0.
Published: 2026-06-22
Score: 2.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AIOHTTP, a Python asynchronous web framework, suffered a CRLF injection flaw in multipart/payload header handling. The flaw allows an attacker to supply a crafted string for headers passed to MultipartWriter.append or Payload.headers, resulting in the insertion or alteration of HTTP headers in the outgoing request. This vulnerability can be leveraged to modify request semantics, potentially leading to request smuggling, header injection attacks, or other exploitation vectors in applications that build multipart requests with user‑controlled input.

Affected Systems

The issue affects versions of aio‑libs' aiohttp prior to 3.14.0. Any application that directly injects user data into MultipartWriter.append headers or Payload.headers without proper validation is at risk. The fix was implemented in release 3.14.0.

Risk and Exploitability

The CVSS score is 2.7, indicating low severity, and the vulnerability is not listed in CISA KEV. The EPSS score is not available, suggesting limited exploitation data. Exploitation requires the application to expose multipart header construction to an attacker, a relatively uncommon scenario. Thus, while the attack surface is constrained, any exposed integration should be patched immediately.

Generated by OpenCVE AI on June 22, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.14.0 or newer where the bug is fixed
  • Audit code to ensure no user input is passed directly into MultipartWriter.append(headers=…) or Payload.headers without sanitization
  • Implement input validation to reject or escape CRLF characters in header values before use

Generated by OpenCVE AI on June 22, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m6qw-4cw2-hm4m aiohttp: CRLF injection in multipart headers
History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0.
Title AIOHTTP: CRLF injection in multipart headers
Weaknesses CWE-113
CWE-93
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:22:34.049Z

Reserved: 2026-06-04T16:26:05.984Z

Link: CVE-2026-50269

cve-icon Vulnrichment

Updated: 2026-06-22T17:22:29.603Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-113

    Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')