CVE-2026-34514: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in aio-libs aiohttp
CVE-2026-34514 is a vulnerability in aiohttp, an asynchronous HTTP client/server framework for Python. Versions prior to 3. 13. 4 allow an attacker controlling the content_type parameter to inject extra HTTP headers via improper neutralization of CRLF sequences, leading to HTTP request/response splitting. This issue has been patched in version 3. 13. 4. The vulnerability has a low severity score of 2. 7 and no known exploits in the wild.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-34514 affects aiohttp versions before 3.13.4. It involves improper neutralization of CRLF sequences in HTTP headers, specifically when an attacker controls the content_type parameter. This can enable injection of additional headers or similar HTTP request/response splitting attacks. The issue has been addressed and fixed in aiohttp version 3.13.4.
Potential Impact
An attacker able to control the content_type parameter in affected aiohttp versions could inject extra HTTP headers, potentially manipulating HTTP requests or responses. The CVSS score of 2.7 indicates a low impact, with no privileges or user interaction required and no known exploits reported.
Mitigation Recommendations
Upgrade aiohttp to version 3.13.4 or later, where this vulnerability has been patched. No additional mitigation is required once the update is applied.
CVE-2026-34514: CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') in aio-libs aiohttp
Description
CVE-2026-34514 is a vulnerability in aiohttp, an asynchronous HTTP client/server framework for Python. Versions prior to 3. 13. 4 allow an attacker controlling the content_type parameter to inject extra HTTP headers via improper neutralization of CRLF sequences, leading to HTTP request/response splitting. This issue has been patched in version 3. 13. 4. The vulnerability has a low severity score of 2. 7 and no known exploits in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-34514 affects aiohttp versions before 3.13.4. It involves improper neutralization of CRLF sequences in HTTP headers, specifically when an attacker controls the content_type parameter. This can enable injection of additional headers or similar HTTP request/response splitting attacks. The issue has been addressed and fixed in aiohttp version 3.13.4.
Potential Impact
An attacker able to control the content_type parameter in affected aiohttp versions could inject extra HTTP headers, potentially manipulating HTTP requests or responses. The CVSS score of 2.7 indicates a low impact, with no privileges or user interaction required and no known exploits reported.
Mitigation Recommendations
Upgrade aiohttp to version 3.13.4 or later, where this vulnerability has been patched. No additional mitigation is required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:03:31.047Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ce7bdce6bfc5ba1ddfe7a2
Added to database: 4/2/2026, 2:23:24 PM
Last enriched: 4/10/2026, 12:10:33 AM
Last updated: 5/20/2026, 6:07:16 AM
Views: 102
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.