CVE Catalog

CVE-2026-50269

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

In the AIOHTTP library before version 3.14.0, a vulnerability allows HTTP header injection through attacker-controlled input included in multipart/payload headers. If an application passes user-controlled strings into `MultipartWriter.append(headers=...)` or `Payload.headers`, an attacker may modify the request to inject headers or change its contents.

Risk Assessment

The risk involves potential manipulation of HTTP requests, which could lead to data integrity breaches, bypassing security mechanisms, or request smuggling attacks.

Recommendation

Immediately update the AIOHTTP library to version 3.14.0 or later. As a workaround, avoid passing user-controlled data to the `headers` parameter in `MultipartWriter.append()` and `Payload.headers`.

Original NVD description (English source)

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS