Buffer Overflow Vulnerability in AIOHTTP Framework by aio-libs
CVE-2026-34520

2.7LOW

Key Information:

Vendor

Aio-libs

Status
Aiohttp
Vendor
CVE Published:
1 April 2026

What is CVE-2026-34520?

A critical vulnerability in the AIOHTTP framework, which serves as an asynchronous HTTP client and server for Python, was identified prior to version 3.13.4. The issue arises from the C parser, which incorrectly processes null bytes and control characters in response headers. This flaw can potentially expose systems to various security risks. A patch has been implemented in version 3.13.4, ensuring that such vulnerabilities are mitigated effectively. Users are strongly encouraged to upgrade to this version or later to maintain the integrity and security of their applications.

Affected Version(s)

aiohttp < 3.13.4

References

https://github.com/aio-libs/aiohttp/security/advisories/G...
x_refsource_CONFIRM
https://github.com/aio-libs/aiohttp/commit/9370b9714a7a56...
x_refsource_MISC
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4
x_refsource_MISC

CVSS V4

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.