AIOHTTP leaks Cookie and Proxy-Authorization headers on cross-origin redirect

GHSA-966j-vmvw-g2g9 · CVE-2026-34518

Published Apr 1, 2026 · Modified May 5, 2026

Description

Summary

When following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers.

Impact

The Cookie and Proxy-Authorizations headers could contain sensitive information which may be leaked to an unintended party after following a redirect.

Patch: https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6

References

WEB https://github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34518
WEB https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6
PACKAGE https://github.com/aio-libs/aiohttp
WEB https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes