PT-2026-49564 · Pypi · Aiohttp

Published

2026-06-15

Updated

2026-06-15

CVE-2026-50269

CVSS v4.0

2.7

Low

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

Summary

Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.

Impact

In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request.

Workaround

Sanitise such user input.

Patch: https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-113CWE-93

Related Identifiers

CVE-2026-50269

GHSA-M6QW-4CW2-HM4M

Affected Products

Aiohttp

PT-2026-49564 · Pypi · Aiohttp

CVE-2026-50269

Summary

Impact

Workaround

Weakness Enumeration

Related Identifiers

Affected Products

References · 4