AIOHTTP has CRLF injection through multipart part content type header construction

GHSA-2vrm-gr82-f7m5 · CVE-2026-34514

Published Apr 1, 2026 · Modified Apr 6, 2026

Description

Summary

An attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits.

Impact

If an application allows untrusted data to be used for the multipart content_type parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.

Patch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34514
WEB https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06
PACKAGE https://github.com/aio-libs/aiohttp
WEB https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes