CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-47265

CVE-2026-47265: Cross-Origin Cookie Leakage in AIOHTTP Client Redirects

Amit Schendel
Amit Schendel
Senior Security Researcher

Jun 3, 2026·6 min read·42 visits

Executive Summary (TL;DR)

AIOHTTP fails to clear the per-request `cookies` parameter during cross-origin redirects, causing sensitive cookies to be transmitted to untrusted third-party servers.

AIOHTTP prior to version 3.14.0 fails to clear request-specific cookies when executing cross-origin automatic HTTP redirects. This vulnerability allows remote web servers to harvest sensitive credentials and session cookies originally scoped to an authorized target domain.

Vulnerability Overview

The AIOHTTP asynchronous HTTP client framework for Python is widely utilized in microservice architectures, web scrapers, and automated integration pipelines. When executing outbound HTTP requests, applications frequently handle stateful sessions using cookies. AIOHTTP manages these credentials using either a session-level global cookie jar or request-specific parameters.

This vulnerability lies within the origin validation boundaries of the redirect resolution process. Specifically, when an HTTP request initiated by an AIOHTTP client receives an automatic redirect status code, the library resolves the new location and determines if the destination resides on a different origin.

If the redirect target constitutes a different origin (by scheme, host, or port), the framework is designed to sanitize the outgoing request to prevent credential disclosure. However, under CWE-346 (Origin Validation Error), the sanitization logic fails to address request-specific local variables. Consequently, sensitive authentication tokens are unintentionally forwarded to untrusted external domains.

Root Cause Analysis

To understand the root cause, it is necessary to examine how AIOHTTP isolates request-specific state. When invoking client requests via ClientSession._request(), a developer can supply cookies using the cookies argument, such as session.get(url, cookies={'session_id': 'secret'}). These arguments are handled locally within the request lifecycle rather than being merged into the persistent, domain-constrained CookieJar class.

When a remote server issues a redirect response (e.g., 301, 302, or 307) and redirection is enabled, the client framework executes a loop in _connect_and_send_request to dispatch subsequent queries. During a cross-origin transition, the following logical evaluation is performed:

if url.origin() != redirect_origin:
    auth = None
    headers.pop(hdrs.AUTHORIZATION, None)
    headers.pop(hdrs.COOKIE, None)
    headers.pop(hdrs.PROXY_AUTHORIZATION, None)

While this sanitization process successfully purges standard HTTP headers like Authorization and Cookie from the request headers dictionary, it fails to alter or nullify the local cookies variable. Because this variable remains bound to the execution scope of the loop, it is passed directly into the subsequent ClientRequest constructor for the new, cross-origin URL. The constructor then generates a new Cookie header from this pristine local variable and transmits it to the external destination.

Code Analysis

The official patch introduced in commit f54c40851b0d6c4bbdab97ba518a223adda32478 resolves the bug by explicitly purging the local cookies variable alongside standard HTTP headers.

# Source: aiohttp/client.py
@@ -971,6 +971,7 @@ async def _connect_and_send_request(
 
                         if url.origin() != redirect_origin:
                             auth = None
+                            cookies = None
                             headers.pop(hdrs.AUTHORIZATION, None)
                             headers.pop(hdrs.COOKIE, None)
                             headers.pop(hdrs.PROXY_AUTHORIZATION, None)

By adding cookies = None, the client ensures that the subsequent call to the ClientRequest constructor receives an empty state for the per-request cookies parameter, preventing the re-creation of the Cookie header.

While this fix is highly effective at stopping parameter leakage, security engineers must remain aware of adjacent attack surfaces. Specifically, the origin validation relies on the yarl library's url.origin() method. Parser differentials between yarl and downstream socket resolution libraries regarding malformed URLs or Unicode Internationalized Domain Names (IDNs) could hypothetically still lead to origin confusion. Additionally, custom API authorization headers, such as X-API-Key or X-Auth-Token, are not explicitly stripped by this logic and will continue to propagate across redirects.

Exploitation Methodology

An exploitation scenario requires an attacker to control or influence the redirect destination of an HTTP request initiated by an AIOHTTP client. This is common in server-side request forgery (SSRF) entry points, webhook processing systems, or open-redirect vulnerabilities hosted on a target domain.

To exploit this vulnerability, an attacker can manipulate an API endpoint to return a redirect response to an attacker-controlled server. If the vulnerable client executes the request using local parameters, the credentials are automatically leaked to the attacker's endpoint:

# Vulnerable configuration
async with aiohttp.ClientSession() as session:
    # Under affected versions, the cookie below is forwarded to attacker.com upon redirection
    await session.get("https://target.com/api", cookies={"session_id": "SECRET"})

When the client encounters a 302 Found directing it to https://attacker.com, it automatically connects to the external server. The server's connection log then captures the incoming request containing the valid, unexpired Cookie: session_id=SECRET header.

Impact Assessment

The potential impact of this vulnerability depends on the lifecycle and privilege level of the leaked cookies. If the client uses session identifiers, administrative JSON Web Tokens (JWTs), or authentication cookies to communicate with stateful APIs, an attacker gaining these values can perform session hijacking or unauthorized API transactions.

This vulnerability has been assigned a CVSS v4.0 score of 6.6 (Medium) with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U. The confidentiality impact on the client execution environment is marked as High because authentication tokens can be recovered by unauthorized external entities.

Currently, the Exploit Prediction Scoring System (EPSS) score remains low at 0.00019 (0.019% probability), reflecting the absence of weaponized public exploits or active exploitation in the wild. Nonetheless, applications performing high-volume server-side HTTP client requests are at distinct risk if they process dynamic redirects without strict input sanitization.

Remediation and Mitigation

The definitive resolution for CVE-2026-47265 is upgrading the aiohttp library to version 3.14.0 or later. This ensures that the framework's internal redirection logic correctly purges local cookies prior to executing cross-origin requests.

pip install --upgrade aiohttp>=3.14.0

For environments where an immediate library upgrade is not feasible, developers must refactor request invocations to construct the standard Cookie header explicitly within the headers argument rather than relying on the cookies argument. This ensures that existing header-clearing routines remove the sensitive data before cross-origin requests are dispatched:

# INSECURE pattern in < 3.14.0
await session.get("https://target.com", cookies={"token": "secret"})
 
# SECURE workaround pattern in all versions
headers = {"Cookie": "token=secret"}
await session.get("https://target.com", headers=headers)

Additionally, implementing a strict egress control policy or disabling redirects (allow_redirects=False) on requests containing sensitive credentials provides an extra layer of defense.

Official Patches

aio-libsGitHub Security Advisory GHSA-hg6j-4rv6-33pg
aio-libsBugfix commit for cross-origin redirect credential leakage

Fix Analysis (1)

Technical Appendix

CVSS Score
6.6/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
EPSS Probability
0.02%
Top 95% most exploited

Affected Systems

AIOHTTP asynchronous HTTP client framework

Affected Versions Detail

Product
Affected Versions
Fixed Version
aiohttp
aio-libs
< 3.14.03.14.0
AttributeDetail
CWE IDCWE-346: Origin Validation Error
Attack VectorNetwork
CVSS Score6.6 (Medium)
EPSS Score0.00019 (Percentile: 5.36%)
ImpactHigh Confidentiality Loss (Credential Leakage)
Exploit Statusnone
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1539Steal Web Session Cookie
Credential Access
T1557Adversary-in-the-Middle
Collection
CWE-346
Origin Validation Error

The software does not properly control or validate the origin of a request or message, potentially leading to unauthorized operations or data disclosure.

Vulnerability Timeline

Official security patch committed to the aiohttp repository
2026-05-19
Vulnerability advisory published on GitHub Security Advisories
2026-06-02
CVE-2026-47265 registered on NVD
2026-06-02

References & Sources

  • [1]AIOHTTP Security Advisory
  • [2]CVE-2026-47265 Record

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 23 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
7 views•7 min read
•1 day ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•1 day ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
10 views•7 min read
•1 day ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
6 views•6 min read
•1 day ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•1 day ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read