Medium severity5.3NVD Advisory· Published Apr 1, 2026· Updated Apr 15, 2026

CVE-2026-34514

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
aiohttpPyPI	< 3.13.4	3.13.4

Affected products

Aiohttp/Aiohttp
cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Range: <3.13.4

Patches

9a6ada97e2c6

Fix multipart injection (#12104) (#12110)

https://github.com/aio-libs/aiohttpSam BullFeb 21, 2026via ghsa

commit

2 files changed · +16 −5

aiohttp/formdata.py+5 −0 modified

@@ -78,6 +78,11 @@ def add_field(
                 raise TypeError(
                     "content_type must be an instance of str. Got: %s" % content_type
                 )
+            if "\r" in content_type or "\n" in content_type:
+                raise ValueError(
+                    "Newline or carriage return detected in headers. "
+                    "Potential header injection attack."
+                )
             headers[hdrs.CONTENT_TYPE] = content_type
             self._is_multipart = True
         if content_transfer_encoding is not None:

tests/test_formdata.py+11 −5 modified

@@ -67,12 +67,18 @@ async def test_formdata_textio_charset(buf: bytearray, writer) -> None:
     assert b"\x93\xfa\x96{" in buf
 
 
-def test_invalid_formdata_content_type() -> None:
+@pytest.mark.parametrize("val", (0, 0.1, {}, [], b"foo"))
+def test_invalid_type_formdata_content_type(val: object) -> None:
     form = FormData()
-    invalid_vals = [0, 0.1, {}, [], b"foo"]
-    for invalid_val in invalid_vals:
-        with pytest.raises(TypeError):
-            form.add_field("foo", "bar", content_type=invalid_val)
+    with pytest.raises(TypeError):
+        form.add_field("foo", "bar", content_type=val)  # type: ignore[arg-type]
+
+
+@pytest.mark.parametrize("val", ("\r", "\n", "a\ra\n", "a\na\r"))
+def test_invalid_value_formdata_content_type(val: str) -> None:
+    form = FormData()
+    with pytest.raises(ValueError):
+        form.add_field("foo", "bar", content_type=val)
 
 
 def test_invalid_formdata_filename() -> None:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06nvdPatchWEB
github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5nvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-2vrm-gr82-f7m5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-34514ghsaADVISORY
github.com/aio-libs/aiohttp/releases/tag/v3.13.4nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000