CVE-2026-50269 | AIOHTTP is an asynchronous HTTP client/server framework for … | CVSS 2.7 LOW

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0.

Metadata

CVE ID: CVE-2026-50269
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-04 16:26 UTC
Published: 2026-06-22 16:30 UTC
Last updated: 2026-06-22 17:22 UTC
Primary CWE: CWE-93
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Inj…
Vendor / Product: aio-libs / aiohttp
Sources: cve.org · NVD

Severity & Metrics

2.7 LOW CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
aio-libs	aiohttp	—	< 3.14.0

Weakness (CWE)

CWE	Source	Description
CWE-113	cna	CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-93	cna	CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.7	LOW	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References (2)

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m
https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8 https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8