CVE-2026-47265 in aiohttp
Summary
by MITRE • 06/03/2026
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
The aiohttp library presents a significant security vulnerability related to cookie handling during cross-origin redirects that affects versions prior to 3.14.0. This flaw stems from the improper ordering of cookie transmission when a request encounters a redirect to a different origin domain. When developers utilize the cookies parameter in individual requests, the framework incorrectly sends these cookies after following redirects, creating a potential avenue for information disclosure. The vulnerability is particularly concerning because it allows sensitive session data or authentication tokens to be transmitted to unintended recipients who control the redirect destination. This behavior violates fundamental security principles of cookie management and demonstrates a failure in proper cross-origin request handling mechanisms.
The technical implementation flaw occurs within the HTTP request processing pipeline where cookie headers are not properly filtered or managed during redirect operations. According to CWE-200, this represents a weakness in information disclosure where sensitive data is exposed to unauthorized parties. The vulnerability specifically affects the order of operations in the HTTP client's redirect handling logic, where cookies set via the dedicated cookies parameter are processed after the redirect resolution rather than being properly managed within the context of the original request. This misordering creates a scenario where cookies containing sensitive information are transmitted to third-party domains without proper authorization, potentially exposing user sessions or authentication tokens to malicious actors who control redirect targets.
The operational impact of this vulnerability extends beyond simple information leakage to encompass potential session hijacking and authentication bypass scenarios. Attackers who can manipulate redirect destinations can capture sensitive cookies that were intended for specific domains, potentially allowing them to impersonate users or access protected resources. This vulnerability particularly affects applications that rely on per-request cookie management rather than persistent session handling, making it a critical concern for web applications that implement dynamic redirect logic. The issue is classified under ATT&CK technique T1566.001 for credential access through social engineering and T1071.004 for application layer protocol usage, as it enables attackers to exploit legitimate redirect mechanisms for unauthorized data access.
Organizations using vulnerable versions of aiohttp should prioritize upgrading to version 3.14.0 or later to receive the patched implementation. The workaround of using the Cookie header within the headers parameter provides a secure alternative since this method does not suffer from the same redirect ordering issue. This mitigation approach aligns with secure coding practices that emphasize explicit header management over parameter-based cookie handling. Security teams should conduct comprehensive audits of their aiohttp-based applications to identify all instances where the cookies parameter is used in redirect scenarios. The vulnerability demonstrates the importance of proper cookie security controls during cross-origin operations and highlights the need for thorough testing of redirect handling logic in web applications. Organizations should also implement monitoring for unusual redirect patterns that might indicate exploitation attempts, particularly in applications where sensitive data flows through cookie-based authentication mechanisms.