aiohttp: TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections
Description
Summary
The server_hostname TLS SNI check can be bypassed when an existing connection is reused.
Impact
If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.
Workaround
Disable keep_alive if you need to change the server_hostname check between requests.
-----
Patch: https://github.com/aio-libs/aiohttp/commit/0ca2b6c28a25726527a8b60f25960262a91ed0e0
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
11- osv-coords10 versionspkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/metaflow-service-fipspkg:apk/chainguard/mlflowpkg:apk/chainguard/mlflow-fipspkg:apk/chainguard/request-1276pkg:apk/chainguard/text-generation-inferencepkg:apk/chainguard/tritonserver-backend-vllm-cuda-13.0pkg:apk/wolfi/mlflowpkg:pypi/aiohttp
< 2026.2.4-r4+ 9 more
- (no CPE)range: < 2026.2.4-r4
- (no CPE)range: < 2026.2.4-r3
- (no CPE)range: < 2.5.0-r5
- (no CPE)range: < 3.13.0-r1
- (no CPE)range: < 3.13.0-r1
- (no CPE)range: < 0.29.0-r1
- (no CPE)range: < 3.3.7-r16
- (no CPE)range: < 25.11-r9
- (no CPE)range: < 3.13.0-r1
- (no CPE)range: < 3.14.1
Patches
Vulnerability mechanics
Root cause
"The connection pool key did not include the per-request server_hostname override, allowing a TLS connection to be reused for a different hostname."
Attack vector
An attacker who can influence the `server_hostname` parameter on subsequent requests to the same domain can bypass the TLS SNI check. When keep-alive is enabled, the connection pool reuses an existing TLS connection that was authenticated for a different `server_hostname`, so the second request succeeds even though the server certificate does not match the requested hostname. The attacker must be able to make multiple requests through the same `ClientSession` with different `server_hostname` values.
Affected code
The vulnerability is in `aiohttp/client_reqrep.py` where `ConnectionKey` (a `NamedTuple`) did not include the per-request `server_hostname` field. This caused the connection pool to treat two requests with different `server_hostname` values as having the same connection key, allowing a TLS connection established for one hostname to be reused for a different hostname.
What the fix does
The patch adds a `server_hostname` field to the `ConnectionKey` named tuple in `aiohttp/client_reqrep.py` and includes `self.server_hostname` when constructing the connection key. This ensures that requests with different `server_hostname` values produce distinct connection keys, preventing the connection pool from reusing a TLS connection that was established for a different hostname. The new unit tests verify that connection keys differ when `server_hostname` differs and that a pooled connection is not reused for a mismatched hostname.
Preconditions
- configThe application must use keep-alive connections (default behavior) and make multiple requests through the same ClientSession with different server_hostname values.
- inputThe attacker must be able to control or influence the server_hostname parameter on subsequent requests.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
1- Aiohttp: Nine CVEs Disclosed in a Single Day, Five Memory-Exhaustion DoS FlawsVypr Intelligence · Jun 15, 2026