Medium severity5.3NVD Advisory· Published Apr 1, 2026· Updated Apr 16, 2026

CVE-2026-34518

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
aiohttpPyPI	< 3.13.4	3.13.4

Affected products

Aiohttp/Aiohttp
cpe:2.3:a:aiohttp:aiohttp:*:*:*:*:*:*:*:*
Range: <3.13.4

Patches

5351c980dcec

Drop additional headers on redirect (#12146) (#12150)

https://github.com/aio-libs/aiohttpSam BullFeb 27, 2026via ghsa

commit

2 files changed · +10 −1

aiohttp/client.py+2 −0 modified

@@ -893,6 +893,8 @@ async def _connect_and_send_request(
                         if url.origin() != redirect_origin:
                             auth = None
                             headers.pop(hdrs.AUTHORIZATION, None)
+                            headers.pop(hdrs.COOKIE, None)
+                            headers.pop(hdrs.PROXY_AUTHORIZATION, None)
 
                         url = parsed_redirect_url
                         params = {}

tests/test_client_functional.py+8 −1 modified

@@ -3445,6 +3445,8 @@ async def srv_from(request):
     async def srv_to(request):
         assert request.host == url_to.host
         assert "Authorization" not in request.headers, "Header wasn't dropped"
+        assert "Proxy-Authorization" not in request.headers
+        assert "Cookie" not in request.headers
         return web.Response()
 
     server_from = await create_server_for_url_and_handler(url_from, srv_from)
@@ -3487,11 +3489,16 @@ async def close(self):
         resp = await client.get(
             url_from,
             auth=aiohttp.BasicAuth("user", "pass"),
+            headers={"Proxy-Authorization": "Basic dXNlcjpwYXNz", "Cookie": "a=b"},
         )
         assert resp.status == 200
         resp = await client.get(
             url_from,
-            headers={"Authorization": "Basic dXNlcjpwYXNz"},
+            headers={
+                "Authorization": "Basic dXNlcjpwYXNz",
+                "Proxy-Authorization": "Basic dXNlcjpwYXNz",
+                "Cookie": "a=b",
+            },
         )
         assert resp.status == 200

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6nvdPatchWEB
github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9nvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-966j-vmvw-g2g9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-34518ghsaADVISORY
github.com/aio-libs/aiohttp/releases/tag/v3.13.4nvdRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000