CVE-2026-34520

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4

Description The C parser, used by default in most installations, allowed null bytes and control characters within response headers. An attacker could leverage this to send header values that are interpreted unexpectedly due to the presence of control characters. For example, request.url.origin() might return a different value than the raw Host header, potentially leading to a security bypass.

Recommendations Update to version 3.13.4 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-113

Related Identifiers

CLEANSTART-2026-AN27706

CVE-2026-34520

ECHO-9E39-7166-9C17

GHSA-63HF-3VF5-4WQF

OESA-2026-2192

OESA-2026-2193

OESA-2026-2194

OPENSUSE-SU-2026:10545-1

Affected Products

Aiohttp

CVE-2026-34520

Weakness Enumeration

Related Identifiers

Affected Products

References · 64