Platform
python
Component
aiohttp
Fixed in
3.13.5
3.13.4
CVE-2026-34519 describes a response header injection vulnerability discovered in aiohttp, a Python 3.6+ HTTP client/server framework. An attacker who can influence the reason parameter when constructing an HTTP response could potentially inject arbitrary headers, leading to unexpected behavior. This vulnerability affects versions of aiohttp up to and including 3.9.5, and a fix is available in version 3.13.4.
The impact of CVE-2026-34519 is relatively limited, but still concerning. An attacker's ability to inject headers hinges on the application's improper handling of user-supplied data within the reason parameter of the Response object. If an application allows untrusted data to be directly used in this parameter, an attacker could manipulate the response headers. This could potentially lead to issues like redirecting users to malicious sites, injecting custom cookies, or altering the perceived origin of the response. While the vulnerability is rated LOW severity, the potential for subtle manipulation warrants attention, especially in applications handling sensitive data or user authentication.
CVE-2026-34519 was publicly disclosed on April 1, 2026. There is currently no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is likely low, reflecting the limited attack surface and the requirement for specific application misconfigurations. No public proof-of-concept exploits have been released at the time of this writing, but the vulnerability's nature suggests that such exploits could be developed relatively easily.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The primary mitigation for CVE-2026-34519 is to upgrade to aiohttp version 3.13.4 or later. This version includes a fix that prevents the injection of arbitrary headers via the reason parameter. If upgrading immediately is not feasible, carefully review the application's code to ensure that the reason parameter is not directly populated with user-supplied data. Input validation and sanitization are crucial. Consider implementing a Web Application Firewall (WAF) with rules to detect and block suspicious header injections. After upgrading, confirm the fix by attempting to craft a malicious response with a crafted reason parameter and verifying that the injected headers are not included in the final response.
Update the version of AIOHTTP to 3.13.4 or higher. This version contains the fix for the HTTP response splitting vulnerability. You can update using pip: `pip install aiohttp==3.13.4`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34519 is a LOW severity vulnerability in aiohttp versions up to 3.9.5 that allows an attacker to inject headers by manipulating the 'reason' parameter in HTTP responses.
You are affected if your application uses aiohttp version 3.9.5 or earlier. Upgrade to 3.13.4 or later to resolve the issue.
Upgrade to aiohttp version 3.13.4 or later. Also, review your code to ensure user input is not directly used in the 'reason' parameter.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests potential for exploitation.
Refer to the official aiohttp GitHub repository commit: https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.