CVE-2026-47265
HIGHAIOHTTP vulnerable to cross-origin redirect with per-request cookies
Title source: cnaDescription
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg
X_Refsource_Misc x_refsource_misc
https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478
Scores
CVSS v3
7.5
EPSS
0.0015
EPSS Percentile
4.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-346
Status
published
Products (3)
aio-libs/aiohttp
< 3.14.0
aiohttp/aiohttp
< 3.14.0
pypi/aiohttp
0 - 3.14.0PyPI
Published
Jun 02, 2026
Tracked Since
Jun 03, 2026