CVE-2026-47265
Cookie Exposure in AIOHTTP After Cross-Origin Redirect
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aio-libs | aiohttp | to 3.14.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-47265 affects the aiohttp library, an asynchronous HTTP client/server framework for Python. Prior to version 3.14.0, when a request used the cookies parameter, those cookies were sent even after following a cross-origin redirect. This means that if an attacker controls the redirect, they could receive sensitive cookie data that was not intended for their domain.
The issue was fixed by ensuring that cookies are cleared when a redirect occurs to a different origin, preventing sensitive cookie data from being sent to unrelated domains.
How can this vulnerability impact me? :
This vulnerability can lead to leakage of sensitive cookie data to attackers if they manage to control a cross-origin redirect. Such leakage could expose session tokens or other sensitive information stored in cookies, potentially allowing attackers to impersonate users or gain unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-47265 vulnerability in aiohttp, the recommended immediate step is to upgrade to version 3.14.0 or later, where the issue is patched.
If upgrading is not possible immediately, avoid using the cookies parameter on requests. Instead, use the Cookie header within the headers parameter, which is not vulnerable to this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in aiohttp prior to version 3.14.0 allows sensitive cookie data to be leaked during cross-origin redirects if the cookies parameter is used per request. This leakage of sensitive data could potentially lead to non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on the handling and transmission of personal and sensitive information.
By inadvertently sending cookies to unrelated domains, the vulnerability increases the risk of unauthorized data exposure, which may violate privacy and security requirements mandated by these standards.
Upgrading to version 3.14.0 or using the Cookie header in the headers parameter mitigates this risk and helps maintain compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves cookies set with the `cookies` parameter being sent after a cross-origin redirect in aiohttp versions prior to 3.14.0. Detection would involve monitoring HTTP requests made by aiohttp clients to see if cookies are being sent to unexpected or cross-origin domains following redirects.
To detect this on your system or network, you can capture and analyze HTTP traffic for requests made by aiohttp clients that follow redirects and check if cookies are included in requests to different origins.
- Use network traffic capture tools like tcpdump or Wireshark to capture HTTP traffic.
- Filter HTTP requests that follow redirects (HTTP status codes 3xx) and inspect the Cookie headers or cookies parameter usage.
- Example tcpdump command to capture HTTP traffic on port 80 or 443: `tcpdump -i any -s 0 -w capture.pcap port 80 or port 443`
- Analyze the capture with Wireshark or tshark to filter HTTP requests with redirects and check for cookies sent to different origins.
- If you have access to the source code or logs, search for usage of the `cookies` parameter in aiohttp requests and verify if the aiohttp version is prior to 3.14.0.