Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check. This vulnerability is fixed in 3.14.1.
Published: 2026-06-22
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AIOHTTP allows the TLS Server Name Indication (SNI) check to be ignored when an existing connection is reused, enabling an attacker to override the intended server hostname and connect to a different target than specified. This flaw may allow traffic intended for one domain to be inadvertently routed to another, potentially exposing data or enabling subtle man‑in‑the‑middle interference. The official CVSS score of 2.7 indicates a low severity, reflecting that the flaw requires precise control over application‑level request parameters and that it does not grant immediate credential compromise or arbitrary code execution.

Affected Systems

The issue affects the aio-libs aiohttp library, versions prior to 3.14.1, which runs on Python/asyncio environments. Applications that use this library to issue multiple HTTPS requests to the same domain while specifying different per‑request server_hostname values are impacted.

Risk and Exploitability

The vulnerability is low risk, with an EPSS score of < 1% and no listing in the CISA KEV catalog. It is inferred that the attack vector requires an attacker to control or influence application‑level request parameters and that it does not grant immediate credential compromise or arbitrary code execution. The low CVSS score and lack of evidence of active exploitation further suggest limited immediate threat. However, any deployment using older aiohttp versions should be updated to eliminate the possibility of server hostname mis‑resolution during connection reuse.

Generated by OpenCVE AI on June 26, 2026 at 04:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to version 3.14.1 to apply the vendor fix that restores correct TLS SNI validation on reused connections.
  • Modify application code to avoid reusing connections when server_hostname values differ, for example by creating a new connector per request or disabling connection pooling for those requests.
  • Monitor outbound HTTPS traffic for unexpected hostnames or mismatched SNI values to detect potential misrouting.

Generated by OpenCVE AI on June 26, 2026 at 04:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4m7w-qmgq-4wj5 aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

threat_severity

Moderate


Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Aio-libs
Aio-libs aiohttp
Vendors & Products Aio-libs
Aio-libs aiohttp

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check. This vulnerability is fixed in 3.14.1.
Title AIOHTTP: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
Weaknesses CWE-297
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}


Subscriptions

Aio-libs Aiohttp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:27:34.536Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54275

cve-icon Vulnrichment

Updated: 2026-06-22T17:27:29.508Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T16:34:56Z

Links: CVE-2026-54275 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T05:00:04Z

Weaknesses
  • CWE-297

    Improper Validation of Certificate with Host Mismatch

  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition