CVE-2026-54275

The server hostname TLS SNI check can be bypassed when an existing connection is reused.

If an application makes multiple requests to the same domain, but with different per-request server hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.

Disable keep alive if you need to change the server hostname check between requests.

Patch: https://github.com/aio-libs/aiohttp/commit/0ca2b6c28a25726527a8b60f25960262a91ed0e0