Critical severity9.1NVD Advisory· Published Apr 1, 2026· Updated Apr 16, 2026
CVE-2026-34520
CVE-2026-34520
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.13.4 | 3.13.4 |
Affected products
38- osv-coords37 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-2pkg:apk/chainguard/authentik-2025.12pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2025.12pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/awxpkg:apk/chainguard/checkovpkg:apk/chainguard/dask-kubernetespkg:apk/chainguard/datahub-ingestionpkg:apk/chainguard/datahub-ingestion-fipspkg:apk/chainguard/keep-apipkg:apk/chainguard/keep-api-fipspkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/litellmpkg:apk/chainguard/metaflow-servicepkg:apk/chainguard/metaflow-service-fipspkg:apk/chainguard/open-webuipkg:apk/chainguard/py3.13-scanner-test-libraries-aiohttppkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/request-1276pkg:apk/chainguard/text-generation-inferencepkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/chainguard/tritonserver-backend-vllm-cuda-13.0pkg:apk/wolfi/airflow-3pkg:apk/wolfi/checkovpkg:apk/wolfi/dask-kubernetespkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/open-webuipkg:apk/wolfi/py3-cassandra-medusapkg:pypi/aiohttppkg:rpm/opensuse/python-aiohttp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.11.2-r5+ 36 more
- (no CPE)range: < 2.11.2-r5
- (no CPE)range: < 3.2.1-r0
- (no CPE)range: < 2.11.2-r3
- (no CPE)range: < 2025.12.4-r3
- (no CPE)range: < 2026.2.1-r3
- (no CPE)range: < 2025.12.4-r3
- (no CPE)range: < 2026.2.1-r3
- (no CPE)range: < 24.6.1-r33
- (no CPE)range: < 3.2.517-r0
- (no CPE)range: < 2026.3.0-r3
- (no CPE)range: < 1.6.0-r1
- (no CPE)range: < 1.5.0.1-r1
- (no CPE)range: < 0.51.0-r2
- (no CPE)range: < 0.51.0-r2
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 1.82.3.0-r3
- (no CPE)range: < 2.5.0-r10
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 0.8.12-r3
- (no CPE)range: < 0.0.1-r3
- (no CPE)range: < 0.27.1-r2
- (no CPE)range: < 0.27.1-r2
- (no CPE)range: < 3.3.7-r10
- (no CPE)range: < 25.9.0_git20260318-r1
- (no CPE)range: < 25.11-r3
- (no CPE)range: < 3.2.1-r0
- (no CPE)range: < 3.2.517-r0
- (no CPE)range: < 2026.3.0-r3
- (no CPE)range: < 0.17.0-r2
- (no CPE)range: < 2.16.0-r4
- (no CPE)range: < 0.8.12-r3
- (no CPE)range: < 0.27.1-r2
- (no CPE)range: < 3.13.4
- (no CPE)range: < 3.13.5-3.1
- (no CPE)range: < 3.11.16-160000.5.1
- (no CPE)range: < 3.11.16-160000.5.1
Patches
Vulnerability mechanics
References
5- github.com/aio-libs/aiohttp/commit/9370b9714a7a56003cacd31a9b4ae16eab109ba4nvdPatchWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-63hf-3vf5-4wqfnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-63hf-3vf5-4wqfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34520ghsaADVISORY
- github.com/aio-libs/aiohttp/releases/tag/v3.13.4nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.