Bug 2484127 (CVE-2026-47265) - CVE-2026-47265 python-aiohttp: AIOHTTP: Information disclosure via improper handling of cookies during cross-origin redirects
Summary: CVE-2026-47265 python-aiohttp: AIOHTTP: Information disclosure via improper h...
Keywords:
Status: NEW
Alias: CVE-2026-47265
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-02 20:03 UTC by OSIDB Bzimport
Modified: 2026-06-03 22:26 UTC (History)
75 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-02 20:03:08 UTC 
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable.
Note You need to log in before you can comment on or make changes to this bug.