Bug 2491448 (CVE-2026-50269)

Summary: CVE-2026-50269 aiohttp: AIOHTTP: CRLF injection in multipart headers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alinfoot, anpicker, anthomas, aprice, bbrownin, bdettelb, bparees, brasmith, cahl, cochase, dfreiber, doconnor, dranck, drow, dschmidt, dtrifiro, ehelms, ggainey, gtanzill, hasun, ilpinto, jburrell, jbuscemi, jdobes, jfula, jkoehler, jlanda, jmitchel, jowilson, jpasqual, jsamir, juwatts, jwong, kaycoth, kshier, lichen, ljawale, lphiri, ltomasbo, mbarnett, mhulan, msilmser, nmoumoul, nyancey, oezr, omaciel, ometelka, orabin, osousa, pakotvan, pbohmill, pcreech, ptisnovs, rbryant, rchan, rjohnson, simaishi, smallamp, stcannon, sthirugn, syedriko, teagle, tmalecek, ttakamiy, vkumar, weaton, xdharmai, xialiu, yguenane, ykashtan, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in aiohttp, an asynchronous HTTP client/server framework. This vulnerability, known as CRLF (Carriage Return Line Feed) injection, allows an attacker to modify HTTP requests by injecting malicious input into multipart or payload headers. If an application processes user-controlled data in these headers, an attacker could potentially alter the request's content or inject new headers, leading to unintended application behavior.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-22 18:01:58 UTC
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=...) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0.