VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 2, 2026

CVE-2026-47265

CVE-2026-47265

Description

AIOHTTP versions prior to 3.14.0 may leak sensitive cookie data to attackers controlling cross-origin redirects.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AIOHTTP versions prior to 3.14.0 may leak sensitive cookie data to attackers controlling cross-origin redirects.

Vulnerability

AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, versions prior to 3.14.0, are vulnerable to sensitive data leakage. When cookies are set using the cookies parameter on a per-request basis, they are sent even after following a cross-origin redirect. This behavior occurs if the application logic allows for such redirects and uses the cookies parameter for individual requests.

Exploitation

An attacker can exploit this vulnerability by controlling a redirect URL. If a developer uses the cookies parameter to send specific cookies with a request, and that request is redirected to a domain controlled by the attacker, the sensitive cookies will be transmitted to the attacker's domain. This requires the attacker to be able to influence the redirect destination.

Impact

Successful exploitation allows an attacker to steal sensitive information contained within cookies. This could include session tokens, authentication credentials, or other personally identifiable information that the user's browser sends automatically via the cookies parameter. The scope of the compromise is limited to the data present in the leaked cookies.

Mitigation

Upgrade to AIOHTTP version 3.14.0 or later to fix this issue [1]. If an upgrade is not immediately possible, a workaround is to use a Cookie header within the headers parameter instead of the cookies parameter for per-request cookie management, as this method is not vulnerable [1]. The patch was released on 2024-01-10 [2].

References
  1. Cross-origin redirect with per-request cookies
  2. Drop cookies on redirect (#12550) (#12640) · aio-libs/aiohttp@f54c408

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
f54c40851b0d

Drop cookies on redirect (#12550) (#12640)

https://github.com/aio-libs/aiohttpSam BullMay 19, 2026via nvd-ref
commit
3 files changed · +16 2
  • aiohttp/client.py+1 0 modified
    @@ -971,6 +971,7 @@ async def _connect_and_send_request(
 
                         if url.origin() != redirect_origin:
                             auth = None
+                            cookies = None
                             headers.pop(hdrs.AUTHORIZATION, None)
                             headers.pop(hdrs.COOKIE, None)
                             headers.pop(hdrs.PROXY_AUTHORIZATION, None)
  • CHANGES/12540.bugfix.rst+1 0 added
    @@ -0,0 +1 @@
+Fixed per-request ``cookies`` not being dropped on cross-origin redirects -- by :user:`Dreamsorcerer`.
  • tests/test_client_functional.py+14 2 modified
    @@ -3593,8 +3593,20 @@ async def close(self) -> None:
     async with aiohttp.ClientSession(
         connector=connector, auth=aiohttp.BasicAuth("user", "pass")
     ) as client:
-        resp = await client.get(url_from)
-        assert resp.status == 200
+        async with client.get(
+            url_from,
+            headers={
+                "Proxy-Authorization": "Basic dXNlcjpwYXNz",
+                "Cookie": "a=b",
+            },
+        ) as resp:
+            assert resp.status == 200
+        async with client.get(
+            url_from,
+            headers={"Proxy-Authorization": "Basic dXNlcjpwYXNz"},
+            cookies={"a": "b"},
+        ) as resp:
+            assert resp.status == 200
 
 
 async def test_drop_auth_on_redirect_to_other_host_with_global_auth_and_base_url(

Vulnerability mechanics

Root cause

"Sensitive cookies are sent after following a cross-origin redirect when using the per-request `cookies` parameter."

Attack vector

An attacker can control a redirect target to a different origin. If a user makes a request to the attacker-controlled origin using the `cookies` parameter, sensitive cookie data may be leaked to the attacker's domain after the redirect. This occurs because the cookies are not properly dropped on cross-origin redirects [ref_id=1].

Affected code

The vulnerability lies within the `aiohttp/client.py` file, specifically in the `_connect_and_send_request` method. The patch modifies this method to drop cookies on cross-origin redirects [patch_id=4524239]. The test file `tests/test_client_functional.py` also includes updated tests to verify this behavior [ref_id=1].

What the fix does

The patch modifies the `_connect_and_send_request` function to explicitly set `cookies = None` when a cross-origin redirect occurs [patch_id=4524239]. This ensures that any cookies previously set for the request are discarded when redirecting to a different origin, preventing sensitive data leakage. The change is reflected in the `aiohttp/client.py` file [ref_id=1].

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.