Platform
python
Component
aiohttp
Fixed in
3.13.5
3.13.4
CVE-2026-34518 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the aiohttp Python library. This flaw occurs when aiohttp follows redirects to a different origin, inadvertently dropping the Authorization header while retaining the Cookie and Proxy-Authorization headers. This can lead to the exposure of sensitive information. The vulnerability affects versions of aiohttp up to and including 3.9.5, and a patch is available in version 3.13.4.
The core impact of CVE-2026-34518 lies in the potential leakage of sensitive data contained within the Cookie and Proxy-Authorization headers. When aiohttp follows a redirect to a different origin, these headers are not properly handled, and their contents can be inadvertently exposed to unintended third parties. This could include authentication tokens, session identifiers, or other credentials that attackers could leverage to gain unauthorized access to backend systems or data. The risk is amplified in environments where these headers contain sensitive information, such as those utilizing proxy authentication or custom cookie-based authentication schemes. While the CVSS score is low, the potential for data exposure warrants immediate attention.
CVE-2026-34518 is not currently listed on KEV or EPSS. The EPSS score is likely low given the CVSS score and the requirement for specific redirect configurations to trigger the vulnerability. No public proof-of-concept (PoC) exploits have been publicly released as of the publication date. Active exploitation campaigns are not currently known, but the ease of identifying and triggering the vulnerability suggests it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34518 is to upgrade to aiohttp version 3.13.4 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include carefully scrutinizing redirect URLs to prevent redirection to untrusted origins, or implementing stricter header filtering policies at the proxy or web server level to strip out sensitive headers before they are passed to aiohttp. For environments utilizing reverse proxies, configure the proxy to handle redirects and header stripping. After upgrading, confirm the fix by sending a request that triggers a redirect and verifying that the Cookie and Proxy-Authorization headers are not included in the response.
Update to version 3.13.4 or higher of AIOHTTP. This version fixes the leak of the Cookie and Proxy-Authorization headers when following redirects to a different origin. The update can be performed using the pip package manager.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34518 is a Server-Side Request Forgery vulnerability in the aiohttp Python library where sensitive headers are leaked during redirects to different origins.
You are affected if you are using aiohttp version 3.9.5 or earlier. Upgrade to 3.13.4 or later to mitigate the risk.
Upgrade to aiohttp version 3.13.4 or later. If immediate upgrade is not possible, implement temporary workarounds like header filtering or URL scrutiny.
No active exploitation campaigns are currently known, but the vulnerability's ease of triggering suggests it could become a target.
Refer to the aiohttp GitHub repository for details and the patch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.