High severity7.5NVD Advisory· Published Jun 2, 2026· Updated Jun 5, 2026
CVE-2026-47265
CVE-2026-47265
Description
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the cookies parameter on requests are sent after following a cross-origin redirect. If a developer uses the cookies parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a Cookie header in the headers parameter is not vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aiohttpPyPI | < 3.14.0 | 3.14.0 |
Affected products
43- osv-coords41 versionspkg:apk/chainguard/airflow-3pkg:apk/chainguard/awxpkg:apk/chainguard/checkovpkg:apk/chainguard/dagsterpkg:apk/chainguard/dagster-fipspkg:apk/chainguard/dask-kubernetespkg:apk/chainguard/dask-kubernetes-fipspkg:apk/chainguard/datahub-ingestionpkg:apk/chainguard/datahub-ingestion-fipspkg:apk/chainguard/gitlab-toolbox-ce-18.10pkg:apk/chainguard/gitlab-toolbox-ce-18.11pkg:apk/chainguard/gitlab-toolbox-ce-fips-18.10pkg:apk/chainguard/gitlab-toolbox-ce-fips-18.11pkg:apk/chainguard/katib-earlystoppingpkg:apk/chainguard/keep-apipkg:apk/chainguard/keep-api-fipspkg:apk/chainguard/litellmpkg:apk/chainguard/nemopkg:apk/chainguard/opalpkg:apk/chainguard/open-webuipkg:apk/chainguard/py3.10-vllm-cuda-12.4pkg:apk/chainguard/py3.10-vllm-cuda-12.9pkg:apk/chainguard/py3.10-vllm-cuda-13.0pkg:apk/chainguard/py3.12-vllm-cuda-12.4pkg:apk/chainguard/py3.12-vllm-cuda-12.9pkg:apk/chainguard/py3.12-vllm-cuda-13.0pkg:apk/chainguard/py3.13-scanner-test-libraries-aiohttppkg:apk/chainguard/py3.13-vllm-cuda-12.9pkg:apk/chainguard/py3.13-vllm-cuda-13.0pkg:apk/chainguard/request-1276pkg:apk/chainguard/text-generation-inferencepkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/chainguard/tritonserver-backend-vllm-cuda-13.0pkg:apk/chainguard/vllm-cuda-13.2pkg:apk/wolfi/airflow-3pkg:apk/wolfi/checkovpkg:apk/wolfi/dask-kubernetespkg:apk/wolfi/katib-earlystoppingpkg:apk/wolfi/open-webuipkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-aiohttp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 3.2.2-r1+ 40 more
- (no CPE)range: < 3.2.2-r1
- (no CPE)range: < 24.6.1-r38
- (no CPE)range: < 3.2.533-r1
- (no CPE)range: < 1.13.8-r0
- (no CPE)range: < 1.13.8-r0
- (no CPE)range: < 2026.3.0-r6
- (no CPE)range: < 2026.3.0-r3
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r1
- (no CPE)range: < 18.10.7-r1
- (no CPE)range: < 18.11.4-r2
- (no CPE)range: < 18.10.7-r2
- (no CPE)range: < 18.11.4-r2
- (no CPE)range: < 0.19.0-r18
- (no CPE)range: < 0.53.0-r0
- (no CPE)range: < 0.52.1-r2
- (no CPE)range: < 1.87.1-r1
- (no CPE)range: < 2.7.3-r6
- (no CPE)range: < 0.9.6-r1
- (no CPE)range: < 0.9.6-r3
- (no CPE)range: < 0.18.1-r3
- (no CPE)range: < 0.19.1-r0
- (no CPE)range: < 0.20.2-r1
- (no CPE)range: < 0.18.1-r3
- (no CPE)range: < 0.19.1-r0
- (no CPE)range: < 0.20.2-r1
- (no CPE)range: < 0.0.1-r3
- (no CPE)range: < 0.19.1-r0
- (no CPE)range: < 0.20.2-r1
- (no CPE)range: < 0.29.0-r0
- (no CPE)range: < 3.3.7-r14
- (no CPE)range: < 25.9.0_git20260617-r2
- (no CPE)range: < 25.11-r8
- (no CPE)range: < 0.21.0-r1
- (no CPE)range: < 3.2.2-r1
- (no CPE)range: < 3.2.533-r1
- (no CPE)range: < 2026.3.0-r6
- (no CPE)range: < 0.19.0-r18
- (no CPE)range: < 0.9.6-r3
- (no CPE)range: < 3.11.16-160000.5.1
- (no CPE)range: < 3.11.16-160000.5.1
Patches
Vulnerability mechanics
References
4- github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478nvdPatchWEB
- github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pgnvdMitigationPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-hg6j-4rv6-33pgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-47265ghsaADVISORY
News mentions
0No linked articles in our index yet.