AIOHTTP: Cookie and Proxy-Authorization headers leaked on cross-origin redirect

Description

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4.

Affected Products

Vendor	Product	Versions
aiohttp	aiohttp	< 3.13.4

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-966j-vmvw-g2g9(x_refsource_CONFIRM)
https://github.com/aio-libs/aiohttp/commit/5351c980dcec7ad385730efdf4e1f4338b24fdb6(x_refsource_MISC)
https://github.com/aio-libs/aiohttp/releases/tag/v3.13.4(x_refsource_MISC)

Related News (2 articles)

Tier B

CERT-FR21h ago

Multiples vulnérabilités dans les produits VMware (11 mai 2026)

→ No new info (linked only)

Tier C

VulDB39d ago

CVE-2026-34518 | aio-libs aiohttp up to 3.13.3 Proxy-Authorization Header information disclosure (GHSA-966j-vmvw-g2g9)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

aiohttp@3.13.4

CWECWE-200

PublishedApr 1, 2026

Last enriched39d agov2

Trending Score55

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (4)

Version History

Last enriched 39d ago

v2Tier C39d ago

Updated severity to MEDIUM, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploited

via VulDB

v140d ago

Initial creation