CVE-2026-34525
Received Received - Intake

Multiple Host Header Vulnerability in AIOHTTP Before

Vulnerability report for CVE-2026-34525, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-01

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-01
Last Modified
2026-04-16
Generated
2026-07-06
AI Q&A
2026-04-02
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
aiohttp aiohttp to 3.13.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, involves the acceptance of multiple Host headers prior to version 3.13.4. This behavior was unintended and has been addressed in version 3.13.4.

Impact Analysis

Allowing multiple Host headers can lead to security issues such as request smuggling or confusion in how the server processes requests, potentially enabling attackers to bypass security controls or cause unexpected behavior.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade aiohttp to version 3.13.4 or later, where the issue allowing multiple Host headers has been patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart