CVE-2026-34525

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions AIOHTTP versions prior to 3.13.4

Description Multiple Host headers were permitted in AIOHTTP, potentially allowing a reverse proxy's security rules to be bypassed. This could lead to a request being processed by AIOHTTP in a privileged sub application when using Application.add domain() if the proxy and AIOHTTP process different host names.

Recommendations Update to AIOHTTP version 3.13.4 or later.

Fix

RCE

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-444

Related Identifiers

CLEANSTART-2026-AN27706

CVE-2026-34525

ECHO-F8CB-56CE-2D8E

GHSA-C427-H43C-VF67

OESA-2026-2192

OESA-2026-2193

OESA-2026-2194

Affected Products

Aiohttp

CVE-2026-34525

Weakness Enumeration

Related Identifiers

Affected Products

References · 63