CVE-2026-47265: Cross-Origin Cookie Leakage in AIOHTTP Client Redirects
Vulnerability ID: CVE-2026-47265
CVSS Score: 6.6
Published: 2026-06-03
AIOHTTP prior to version 3.14.0 fails to clear request-specific cookies when executing cross-origin automatic HTTP redirects. This vulnerability allows remote web servers to harvest sensitive credentials and session cookies originally scoped to an authorized target domain.
TL;DR
AIOHTTP fails to clear the per-request cookies parameter during cross-origin redirects, causing sensitive cookies to be transmitted to untrusted third-party servers.
Technical Details
- CWE ID: CWE-346: Origin Validation Error
- Attack Vector: Network
- CVSS Score: 6.6 (Medium)
- EPSS Score: 0.00019 (Percentile: 5.36%)
- Impact: High Confidentiality Loss (Credential Leakage)
- Exploit Status: none
- CISA KEV Status: Not Listed
Affected Systems
- AIOHTTP asynchronous HTTP client framework
-
aiohttp: < 3.14.0 (Fixed in:
3.14.0)
Code Analysis
Commit: f54c408
Fixed per-request cookies not being dropped on cross-origin redirects
Mitigation Strategies
- Upgrade aiohttp to version 3.14.0 or newer to ensure standard origin validation logic applies to local cookie variables.
- Manually format the Cookie header inside the headers parameter as a temporary workaround if upgrading is not immediately possible.
- Enforce network-level restrictions on outgoing requests or disable automatic redirect following (allow_redirects=False) when handling high-privilege credentials.
Remediation Steps:
- Identify all microservices and automated Python scripts utilizing aiohttp for outbound HTTP calls.
- Analyze client instances to locate usage of client.get() or client.post() passing the 'cookies' parameter.
- Modify dependencies to target aiohttp >= 3.14.0.
- In legacy systems, refactor 'cookies' arguments into the 'headers' parameter as 'Cookie: key=value'.
References
Read the full report for CVE-2026-47265 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)