Platform
python
Component
aiohttp
Fixed in
3.13.5
3.13.4
CVE-2026-34520 affects aiohttp versions up to 3.9.5 and involves a header injection vulnerability. The vulnerability arises from the C parser's improper handling of null bytes and control characters within response headers. This can lead to unexpected header interpretation and potential security bypasses, impacting applications relying on accurate header values.
An attacker can exploit this vulnerability by crafting malicious HTTP responses containing control characters within header values. These characters are then misinterpreted by the C parser, potentially altering the behavior of request.url.origin() or other header-dependent functions. This could allow an attacker to bypass security controls, such as authentication or authorization mechanisms, by manipulating the server's understanding of the request. The blast radius extends to any application using aiohttp that relies on accurate header parsing, particularly those interacting with reverse proxies or external services.
CVE-2026-34520 was publicly disclosed on 2026-04-01. No known active exploitation campaigns have been reported at the time of writing. The vulnerability's severity is classified as CRITICAL (CVSS 9.1). There are currently no KEV listings for this CVE. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit.
Exploit Status
EPSS
0.06% (17% percentile)
CVSS Vector
The primary mitigation is to upgrade aiohttp to version 3.13.4 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy rules to filter out HTTP responses containing suspicious control characters in headers. Specifically, look for patterns containing null bytes (\0) or other non-printable characters in header values. Thoroughly test any configuration changes to avoid disrupting legitimate traffic. After upgrading, confirm the fix by sending crafted requests with control characters in headers and verifying that they are properly sanitized.
Update the AIOHTTP library to version 3.13.4 or higher. This will fix the header injection vulnerability by rejecting null bytes and control characters in response header values. You can update using `pip install -U aiohttp`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34520 is a critical vulnerability in aiohttp versions up to 3.9.5 that allows attackers to inject malicious header values via control characters, potentially leading to security bypasses.
You are affected if you are using aiohttp version 3.9.5 or earlier. Check your aiohttp version and upgrade if necessary.
Upgrade aiohttp to version 3.13.4 or later. If immediate upgrade is not possible, implement WAF rules to filter suspicious header characters.
No active exploitation campaigns have been reported at this time, but the vulnerability's nature suggests it could be easily exploited.
Refer to the aiohttp GitHub repository commit: https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.