Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() lose their host-only status. This vulnerability is fixed in 3.14.1.
Published: 2026-06-22
Score: 1.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 3.14.1, aio-libs AIOHTTP mistakenly strips the host‑only flag from cookies when the CookieJar is saved and later restored, causing the cookies to be treated as domain cookies. This conversion can expose session identifiers or other sensitive data to a wider set of subdomains, potentially enabling attackers to read or hijack user session information. The bug is triggered only when CookieJar.save() and CookieJar.load() are used, and it is fixed in AIOHTTP 3.14.1.

Affected Systems

Any deployment of aio-libs AIOHTTP older than 3.14.1 that uses persistent cookie storage via CookieJar.save() or load() is impacted. The vulnerability does not depend on the operating system or specific Python environment, so all projects that import aiohttp and rely on that functionality are at risk.

Risk and Exploitability

The CVSS base score of 1.3 and the absence of an EPSS score or KEV listing indicate a very low overall risk. Exploitation requires local access to the persisted CookieJar or manipulation of the persistence process, limiting the attack surface to trusted users or compromised systems. While the flaw can lead to data leakage, the impact is constrained to cookie visibility and does not provide remote code execution or denial of service.

Generated by OpenCVE AI on June 22, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AIOHTTP 3.14.1 or later (the fix removes the downgrade of cookie scope)
  • Avoid persisting host‑only cookies that contain sensitive data; delete or neutralize them before calling CookieJar.save()
  • Restrict use of CookieJar persistence to trusted contexts and delete the persisted file after use
  • If an upgrade is not immediately available, manually strip the domain attribute from cookies before they are written to disk

Generated by OpenCVE AI on June 22, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2fqr-mr3j-6wp8 aiohttp: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
History

Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.1, host-only cookies that are saved with CookieJar.save() and then restored later with CookieJar.load() lose their host-only status. This vulnerability is fixed in 3.14.1.
Title AIOHTTP: Host-Only Cookies Become Domain Cookies After CookieJar Persistence
Weaknesses CWE-665
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T17:40:23.923Z

Reserved: 2026-06-12T17:13:32.280Z

Link: CVE-2026-54279

cve-icon Vulnrichment

Updated: 2026-06-22T17:40:20.234Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:45:04Z

Weaknesses