CVE-2026-34525: AIOHTTP: Duplicate Host header accepted
Published Apr 1, 2026
·Updated
### Summary Multiple Host headers were allowed in aiohttp. ### Impact Mostly this doesn't affect aiohttp security itself, but if a reverse proxy is applying security rules depending on the target Host, it is theoretically possible that the proxy and aiohttp could process different host names, possibly resulting in bypassing a security check on the proxy and getting a request processed by aiohttp in a privileged sub app when using `Application.add_domain()`. ----- Patch: https://github.com/aio-libs/aiohttp/commit/e00ca3cca92c465c7913c4beb763a72da9ed8349 Patch: https://github.com/aio-libs/aiohttp/commit/53e2e6fc58b89c6185be7820bd2c9f40216b3000
Affected Software
2 affected componentsFixes available
pip/aiohttp<=3.13.3
3.13.4
aiohttp aiohttp<3.13.4
Remediation
Event History
Apr 1, 2026
CVE Published
via MITRE·08:28 PM
Data Sourced
via MITRE·08:28 PM
DescriptionWeakness
Data Sourced
via NVD·09:17 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·09:17 PM
RemedyAffected Software
Advisory Published
via GitHub·09:49 PM
Data Sourced
via GitHub·09:49 PM
DescriptionWeaknessAffected Software