CVE Vulnerabilities

CVE-2026-50269

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Published: Jun 22, 2026 | Modified: Jun 26, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
4.8 LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing user-controlled strings into MultipartWriter.append(headers=…) or Payload.headers, then an attacker may be able to modify the request to inject headers or change the contents of the request. This vulnerability is fixed in 3.14.0.

Weakness

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Affected Software

NameVendorStart VersionEnd Version
AiohttpAiohttp*3.14.0 (excluding)
Python-aiohttpUbuntuupstream*

Potential Mitigations

References