Plattform
python
Komponente
aiohttp
Behoben in
3.13.5
3.13.4
CVE-2026-34518 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the aiohttp Python library. This flaw occurs when aiohttp follows redirects to a different origin, inadvertently dropping the Authorization header while retaining the Cookie and Proxy-Authorization headers. This can lead to the exposure of sensitive information. The vulnerability affects versions of aiohttp up to and including 3.9.5, and a patch is available in version 3.13.4.
The primary impact of CVE-2026-34518 is the potential exposure of sensitive data contained within Cookie and Proxy-Authorization headers. These headers often carry authentication tokens, session identifiers, or other credentials. When a user is redirected to a different origin (domain), aiohttp's handling of these headers can inadvertently transmit this information to a third-party server. This could lead to unauthorized access to user accounts, data breaches, or other malicious activities. The risk is amplified in environments where redirects are frequently used, or where sensitive data is routinely transmitted within these headers.
CVE-2026-34518 has a LOW CVSS score of 2.5. As of the publication date (2026-04-01), there are no publicly known proof-of-concept exploits. It is not currently listed on the CISA KEV catalog. The vulnerability's impact is primarily related to information disclosure, making it less likely to be actively exploited in the short term, but still warrants attention and remediation.
Applications and services built using aiohttp, particularly those that handle user authentication via cookies or proxy authentication, are at risk. This includes web applications, APIs, and microservices that rely on aiohttp for HTTP requests and redirection handling. Environments with legacy authentication schemes or custom cookie implementations are especially vulnerable.
• python / server:
import requests
from urllib.parse import urlparse
def check_redirect_headers(url):
try:
response = requests.get(url, allow_redirects=True, stream=True)
for redirect in response.history:
if urlparse(redirect.url).netloc != urlparse(response.url).netloc:
print(f"Redirect to different origin detected: {redirect.url}")
print(f"Cookie header: {response.cookies.get_dict()}")
print(f"Proxy-Authorization header: {response.headers.get('Proxy-Authorization')}")
except Exception as e:
print(f"Error during request: {e}")
# Example usage
check_redirect_headers("http://example.com/redirect")disclosure
patch
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
The recommended mitigation for CVE-2026-34518 is to upgrade to aiohttp version 3.13.4 or later. This version includes a fix that properly handles headers during redirects, preventing the leakage of sensitive information. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy server rules to inspect and sanitize headers during redirects. Specifically, configure the WAF to strip or mask Cookie and Proxy-Authorization headers when redirects occur to different origins. Additionally, review application code to avoid relying on the Authorization header when following redirects.
Actualice a la versión 3.13.4 o superior de AIOHTTP. Esta versión corrige la fuga de los encabezados Cookie y Proxy-Authorization al seguir redirecciones a un origen diferente. La actualización se puede realizar mediante el gestor de paquetes pip.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34518 is a Server-Side Request Forgery vulnerability in the aiohttp Python library where sensitive headers are leaked during redirects to different origins.
You are affected if you are using aiohttp version 3.9.5 or earlier. Upgrade to 3.13.4 or later to mitigate the risk.
Upgrade to aiohttp version 3.13.4 or later. If immediate upgrade is not possible, implement temporary workarounds like header filtering or URL scrutiny.
No active exploitation campaigns are currently known, but the vulnerability's ease of triggering suggests it could become a target.
Refer to the aiohttp GitHub repository for details and the patch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.