CVE-2026-34519
MEDIUMAIOHTTP: HTTP response splitting via \r in reason phrase
Title source: cnaDescription
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-mwh4-6h8g-pg8w
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/commit/53b35a2f8869c37a133e60bf1a82a1c01642ba2b
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
Scores
CVSS v3
5.3
EPSS
0.0029
EPSS Percentile
20.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-113
Status
published
Products (3)
aio-libs/aiohttp
< 3.13.4
aiohttp/aiohttp
< 3.13.4
pypi/aiohttp
0 - 3.13.4PyPI
Published
Apr 01, 2026
Tracked Since
Apr 02, 2026