PT-2026-49589 · Pypi · Aiohttp
Published
2026-06-15
·
Updated
2026-06-15
·
CVE-2026-54275
CVSS v4.0
2.7
Low
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U |
Summary
The
server hostname TLS SNI check can be bypassed when an existing connection is reused.Impact
If an application makes multiple requests to the same domain, but with different per-request
server hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.Workaround
Disable keep alive if you need to change the
server hostname check between requests.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Aiohttp