Memory Handling Flaw in AIOHTTP Framework Affects Python-Based Applications
CVE-2026-34517

2.7LOW

Key Information:

Vendor

Aio-libs

Status
Aiohttp
Vendor
CVE Published:
1 April 2026

What is CVE-2026-34517?

AIOHTTP, an asynchronous HTTP client/server framework for Python, contains a memory handling flaw prior to version 3.13.4 that allows certain multipart form fields to be read into memory without first checking against the defined client_max_size. This potentially exposes applications to excessive memory consumption, leading to degraded performance or service disruption. Users are strongly encouraged to upgrade to version 3.13.4 or later, where this issue has been resolved.

Affected Version(s)

aiohttp < 3.13.4

References

https://github.com/aio-libs/aiohttp/security/advisories/G...
x_refsource_CONFIRM
https://github.com/aio-libs/aiohttp/commit/cbb774f3833056...
x_refsource_MISC
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
x_refsource_MISC

CVSS V4

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.