Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects non-default per-request server_hostname usage required; S:C and C:H capture TLS identity boundary crossing with potential cross-tenant data exposure.
Primary rating from Vendor (https://github.com/aio-libs/aiohttp).
CVSS VectorVendor: https://github.com/aio-libs/aiohttp
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 42,718 pypi packages depend on aiohttp (14,813 direct, 28,685 indirect)
Ecosystem-wide dependent count for version 3.14.1.
DescriptionCVE.org
Summary
The server_hostname TLS SNI check can be bypassed when an existing connection is reused.
Impact
If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.
Workaround
Disable keep_alive if you need to change the server_hostname check between requests.
-----
Patch: https://github.com/aio-libs/aiohttp/commit/0ca2b6c28a25726527a8b60f25960262a91ed0e0
AnalysisAI
TLS SNI hostname validation in aiohttp is silently bypassed when a keep-alive connection is reused from the connection pool, allowing per-request server_hostname overrides to be ignored on subsequent requests to the same host. Applications relying on dynamic per-request SNI to enforce tenant isolation, proxy routing, or custom certificate validation are at risk of connecting under the wrong TLS identity without any error raised. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in aiohttp 3.14.1.
Technical ContextAI
aiohttp (pkg:pip/aiohttp) is a widely used asynchronous HTTP client/server framework for Python. Its client session supports connection pooling with keep-alive by default, reusing established TCP/TLS connections across requests to the same host to reduce latency. The library also exposes a per-request server_hostname parameter that sets the TLS SNI value and governs certificate hostname validation for that specific request, intended for use cases such as SNI-based routing, multi-tenant proxies, and custom TLS inspection pipelines. The root cause is CWE-297 (Improper Validation of Certificate with Host Mismatch): when the connection pool satisfies a new request with an already-established connection, the library does not compare the new request's server_hostname against the SNI already negotiated on the existing connection, resulting in the per-request check being entirely skipped.
RemediationAI
Upgrade aiohttp to version 3.14.1 or later, which includes the upstream fix at commit 0ca2b6c28a25726527a8b60f25960262a91ed0e0; the authoritative advisory is at https://github.com/aio-libs/aiohttp/security/advisories/GHSA-4m7w-qmgq-4wj5. If an immediate upgrade is not feasible, the vendor-documented workaround is to disable keep_alive on the aiohttp ClientSession or per-request configuration (e.g., connector=aiohttp.TCPConnector(force_close=True) or connector_owner=False with a fresh connector per request); this forces a new TLS handshake for every request and eliminates the connection reuse path that bypasses the SNI check. The trade-off is a meaningful increase in connection overhead and latency, particularly under high request volumes, since each request will incur a full TCP and TLS handshake. Audit any aiohttp-based code that passes server_hostname as a per-request argument to identify affected call sites before applying compensating controls.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38312
GHSA-4m7w-qmgq-4wj5