Skip to main content

aiohttp CVE-2026-54279

| EUVDEUVD-2026-38310 LOW
Improper Initialization (CWE-665)
2026-06-15 https://github.com/aio-libs/aiohttp GHSA-2fqr-mr3j-6wp8
1.3
CVSS 4.0 · Vendor: https://github.com/aio-libs/aiohttp

Severity by source

Vendor (https://github.com/aio-libs/aiohttp) PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

AC:H and UI:R because exploitation requires the application to invoke the opt-in save/load API and an attacker-controlled subdomain; only limited confidentiality impact applies.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/aio-libs/aiohttp).

CVSS VectorVendor: https://github.com/aio-libs/aiohttp

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 22, 2026 - 18:23 NVD
1.3 (LOW)
Source Code Evidence Fetched
Jun 15, 2026 - 20:33 vuln.today
Analysis Generated
Jun 15, 2026 - 20:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 42,718 pypi packages depend on aiohttp (14,813 direct, 28,685 indirect)

Ecosystem-wide dependent count for version 3.14.1.

DescriptionCVE.org

Summary

Host-only cookies that are saved with `CookieJar.save() and then restored later with CookieJar.load()` lose their host-only status.

Impact

Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been disallowed.

-----

Patch: https://github.com/aio-libs/aiohttp/commit/a329a7aacad5284f087af36103aff778746da0f2

AnalysisAI

Cookie scope escalation in aiohttp's CookieJar persistence layer causes host-only cookies to lose their host-restricted status after a save/load cycle, allowing them to be transmitted to subdomains that the original server never authorized to receive them. Applications using pip/aiohttp <= 3.14.0 that invoke CookieJar.save() and CookieJar.load() for session persistence are affected. No public exploit code has been identified at time of analysis, but the impact is information disclosure: sensitive cookies - including session tokens or authentication credentials - may be sent to unintended subdomain endpoints, violating the HTTP cookie scoping model.

Technical ContextAI

aiohttp (pkg:pip/aiohttp) is a widely-used Python asyncio-based HTTP client/server framework. The CookieJar class provides cookie management including optional disk persistence via save() and load() methods. Per RFC 6265, a host-only cookie is one set without an explicit Domain attribute; it must only be sent back to the exact origin host, not any of its subdomains. CWE-665 (Improper Initialization) captures the root cause: when CookieJar.load() restores cookies from disk, it fails to reinstate the host-only flag, effectively converting previously host-scoped cookies into domain-scoped cookies that match any subdomain of the original host. This is a serialization fidelity defect - a cookie attribute critical to security policy is dropped during the round-trip through disk storage.

RemediationAI

Upgrade aiohttp to version 3.14.1, which contains the upstream fix (commit a329a7aacad5284f087af36103aff778746da0f2) that restores proper host-only flag handling during CookieJar deserialization. The vendor advisory is available at https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2fqr-mr3j-6wp8. If an immediate upgrade is not feasible, the most effective compensating control is to avoid using CookieJar.save() and CookieJar.load() entirely and instead manage cookie persistence through application-layer session stores that correctly track cookie scope metadata. If persistence is required, manually audit the loaded cookie jar after each load() call and re-apply host-only restrictions by removing the Domain attribute from cookies that were originally host-scoped. Note that any existing persisted cookie files created by vulnerable versions should be treated as potentially corrupt with respect to host-only status and either regenerated after upgrading or validated manually.

Share

CVE-2026-54279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy