CVE-2026-34518 is a vulnerability in the aiohttp library, an asynchronous HTTP client/server framework widely used in Python applications. The flaw exists in versions prior to 3.13.4 and relates to how aiohttp handles HTTP redirects across different origins. Specifically, when following a redirect to a different origin, aiohttp correctly drops the Authorization header to prevent credential leakage, but it erroneously retains the Cookie and Proxy-Authorization headers. This inconsistent behavior can expose sensitive information such as session cookies or proxy credentials to unauthorized actors if an attacker can induce a redirect to a malicious or untrusted domain. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS 4.0 base score is 2.7, reflecting a low severity due to the limited impact scope and no requirement for authentication or user interaction. The issue was publicly disclosed and patched in version 3.13.4 of aiohttp. No known exploits are currently reported in the wild. The vulnerability primarily affects applications that rely on aiohttp for HTTP communications and perform redirects across origins, which is common in microservices, API clients, and web scraping tools. Developers and organizations should audit their aiohttp usage and upgrade to the patched version to prevent potential sensitive data leakage.

The primary impact of this vulnerability is the unintended exposure of sensitive authentication information, specifically cookies and proxy authorization headers, during cross-origin HTTP redirects. This can lead to session hijacking, unauthorized access, or proxy misuse if an attacker can control or influence redirect destinations. Although the Authorization header is correctly dropped, the retention of cookies and proxy credentials still poses a confidentiality risk. The impact is somewhat limited by the need for the application to follow redirects to attacker-controlled domains and the presence of sensitive headers in requests. The vulnerability does not affect integrity or availability directly. Organizations using aiohttp in client applications that handle sensitive sessions or proxy authentication are at risk. The low CVSS score indicates the risk is not critical but should not be ignored, especially in environments with strict data protection requirements or where aiohttp is used in security-sensitive contexts.

1. Upgrade aiohttp to version 3.13.4 or later, where this vulnerability is patched. 2. Review application logic to minimize or validate cross-origin redirects, especially those that could be influenced by untrusted input. 3. Implement strict Content Security Policy (CSP) and redirect validation to prevent redirection to malicious domains. 4. Avoid sending sensitive cookies or proxy authorization headers in requests that may be redirected across origins. 5. Use explicit session management and token handling mechanisms that do not rely solely on cookies or headers vulnerable to leakage. 6. Monitor network traffic for unexpected redirects or unauthorized transmission of sensitive headers. 7. Conduct security testing focusing on redirect handling and header exposure in aiohttp-based applications. These steps go beyond generic advice by focusing on redirect validation and header management specific to aiohttp's behavior.