Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check. This vulnerability is fixed in 3.14.1.
Published: 2026-06-22
Score: 2.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AIOHTTP allows the TLS Server Name Indication (SNI) check to be ignored when an existing connection is reused, enabling an attacker to override the intended server hostname and connect to a different target than specified. This flaw may allow traffic intended for one domain to be inadvertently routed to another, potentially exposing data or enabling subtle man‑in‑the‑middle interference. The official CVSS score of 2.7 indicates a low severity, reflecting that the flaw requires precise control over application‑level request parameters and that it does not grant immediate credential compromise or arbitrary code execution.

Affected Systems

The issue affects the aio-libs aiohttp library, versions prior to 3.14.1, which runs on Python/asyncio environments. Applications that use this library to issue multiple HTTPS requests to the same domain while specifying different per‑request server_hostname values are impacted.

Risk and Exploitability

The vulnerability is low risk, with an EPSS score not available and no listing in the CISA KEV catalog. It is inferred that the attack vector requires an attacker to control or influence application code to issue the differing requests, making casual exploitation unlikely. The low CVSS score and lack of evidence of active exploitation further suggest limited immediate threat. However, any deployment using older aiohttp versions should be updated to eliminate the possibility of server hostname mis‑resolution during connection reuse.

Generated by OpenCVE AI on June 22, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aiohttp to 3.14.1 or newer
  • Configure the application to avoid reusing connections when server_hostname values differ, for example by creating a new connector per request or disabling connection pooling for such requests
  • Monitor outbound HTTPS traffic for unexpected hostnames or mismatched SNI values to detect potential misrouting

Generated by OpenCVE AI on June 22, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4m7w-qmgq-4wj5 aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
History

Mon, 22 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, the server_hostname TLS SNI check can be bypassed when an existing connection is reused. If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check. This vulnerability is fixed in 3.14.1.
Title AIOHTTP: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
Weaknesses CWE-297
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:27:34.536Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54275

cve-icon Vulnrichment

Updated: 2026-06-22T17:27:29.508Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T19:30:06Z

Weaknesses
  • CWE-297

    Improper Validation of Certificate with Host Mismatch