A vulnerability in AIOHTTP, the popular asynchronous HTTP client/server framework for Python, tracked as CVE-2026-47265 (CVSS 7.5 High), causes cookies set with the cookies parameter on requests to be sent after following redirects to different domains. This can leak session cookies and authentication tokens to unintended third-party servers.
What Is the Vulnerability?
CVE-2026-47265 exists because AIOHTTP sends cookies configured via the cookies parameter along with redirected requests, even when the redirect target is a different domain. Normally, HTTP clients should only send cookies to the domain that set them — sending cookies across domain boundaries on redirect is a security violation that can expose session tokens and authentication cookies to attacker-controlled or compromised third-party servers that receive redirected traffic.
Which Versions Are Affected?
- AIOHTTP: all versions prior to 3.14.0
What Is the Fix?
Update AIOHTTP to version 3.14.0 or later: pip install --upgrade aiohttp>=3.14.0
Recommendations
Update AIOHTTP to 3.14.0. AIOHTTP is used in thousands of Python web applications and API clients. Cookie leakage on redirect is particularly dangerous for applications that interact with third-party APIs where redirects are common.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.
