Platform
python
Component
aiohttp
Fixed in
3.13.5
3.13.4
CVE-2026-34516 describes a denial-of-service (DoS) vulnerability within the aiohttp Python web framework. An attacker can exploit this flaw by sending requests with an excessive number of multipart headers, potentially leading to memory exhaustion and service disruption. This vulnerability impacts versions of aiohttp up to and including 3.9.5, but a fix is available in version 3.13.4.
The vulnerability stems from a lack of size restrictions on multipart headers compared to regular headers within aiohttp. This allows an attacker to craft malicious requests containing a significantly larger volume of header data. When aiohttp processes these oversized headers, it can allocate excessive memory, potentially leading to a denial-of-service condition. While other restrictions are in place, the potential for memory exhaustion remains a significant risk, especially in high-traffic environments. Successful exploitation could render the web application unresponsive, impacting legitimate users and potentially disrupting critical business operations.
This CVE was publicly disclosed on 2026-04-01. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is currently unavailable, but given the potential for DoS and the ease of crafting malicious requests, the probability of exploitation should be considered medium. No confirmed exploitation campaigns have been observed.
Exploit Status
EPSS
0.05% (15% percentile)
CVSS Vector
The primary mitigation for CVE-2026-34516 is to upgrade to aiohttp version 3.13.4 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing temporary workarounds such as rate limiting incoming requests to reduce the likelihood of receiving malicious multipart headers. Web application firewalls (WAFs) can also be configured to inspect and block requests with unusually large header sizes. Monitoring memory usage on the server is also recommended to detect potential DoS attacks.
Update to version 3.13.4 or higher of AIOHTTP. This version fixes the denial-of-service vulnerability caused by excessive multipart header handling.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34516 is a denial-of-service vulnerability in the aiohttp Python web framework where excessive multipart headers can cause memory exhaustion.
You are affected if you are using aiohttp versions 3.9.5 or earlier. Upgrade to 3.13.4 or later to resolve the issue.
Upgrade aiohttp to version 3.13.4 or later. Consider temporary workarounds like rate limiting if immediate upgrade is not possible.
No active exploitation campaigns have been confirmed at this time, but the potential for exploitation exists due to the ease of crafting malicious requests.
Refer to the aiohttp GitHub repository for details and the patch: https://github.com/aio-libs/aiohttp/commit/8a74257b3804c9aac0bf644af93070f68f6c5a6f
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.