CVE-2026-34518

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4

Description When following redirects to a different origin, aiohttp removes the Authorization header while keeping the Cookie and Proxy-Authorization headers. This could lead to the leakage of sensitive information contained in the Cookie and Proxy-Authorization headers to an unintended party.

Recommendations Update to AIOHTTP version 3.13.4 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CLEANSTART-2026-AN27706

CVE-2026-34518

ECHO-758D-EDBE-6881

GHSA-966J-VMVW-G2G9

OESA-2026-2192

OESA-2026-2193

OESA-2026-2194

Affected Products

Aiohttp

CVE-2026-34518

Weakness Enumeration

Related Identifiers

Affected Products

References · 62