← Back
2026-06-22 16:30CVE-2026-50269GitHub_M
PUBLISHED5.2CWE-93CWE-113

AIOHTTP: CRLF injection in multipart headers

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0.

Problem type

Affected products

aio-libs

aiohttp

< 3.14.0 - AFFECTED

References

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m

x_refsource_CONFIRM
https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8

https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8

x_refsource_MISC

GitHub Security Advisories

GHSA-m6qw-4cw2-hm4m

aiohttp: CRLF injection in multipart headers

https://github.com/advisories/GHSA-m6qw-4cw2-hm4m

Summary

Attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar.

Impact

In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request.

Workaround

Sanitise such user input.

Patch: https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8

github.com

https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m

github.com

https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8

github.com

https://github.com/advisories/GHSA-m6qw-4cw2-hm4m

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-50269
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-50269",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-06-22T17:22:34.049Z",
    "dateReserved": "2026-06-04T16:26:05.984Z",
    "datePublished": "2026-06-22T16:30:55.789Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-06-22T16:30:55.789Z"
      },
      "title": "AIOHTTP: CRLF injection in multipart headers",
      "descriptions": [
        {
          "lang": "en",
          "value": "AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0."
        }
      ],
      "affected": [
        {
          "vendor": "aio-libs",
          "product": "aiohttp",
          "versions": [
            {
              "version": "< 3.14.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')",
              "cweId": "CWE-93",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')",
              "cweId": "CWE-113",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m",
          "name": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-m6qw-4cw2-hm4m",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8",
          "name": "https://github.com/aio-libs/aiohttp/commit/bf88077ebb14f4c29924b8e8904cba20c55c28b8",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-06-22T17:22:34.049Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}