Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-54275

CVE-2026-54275: AIOHTTP Auth Bypass Vulnerability

CVE-2026-54275 is an authentication bypass flaw in AIOHTTP's TLS SNI validation that allows attackers to reuse connections with mismatched hostnames. This post covers technical details, affected versions, and mitigations.

Published:

CVE-2026-54275 Overview

CVE-2026-54275 is a TLS Server Name Indication (SNI) validation bypass in aiohttp, an asynchronous HTTP client/server framework for Python's asyncio. Versions prior to 3.14.1 fail to enforce per-request server_hostname parameters when reusing existing TLS connections from the connection pool. Applications that issue multiple requests to the same domain while passing different server_hostname values may accept reused connections that should have been rejected by the SNI check. The flaw is tracked under [CWE-297: Improper Validation of Certificate with Host Mismatch]. A fix is available in aiohttp 3.14.1.

Critical Impact

Applications relying on server_hostname for per-request TLS identity validation can route requests over a connection whose SNI does not match the requested hostname, weakening hostname verification guarantees.

Affected Products

  • aiohttp versions prior to 3.14.1
  • Python applications using aiohttp client with custom server_hostname parameters
  • HTTP client workflows that reuse connections via the default connection pool

Discovery Timeline

  • 2026-06-22 - CVE-2026-54275 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-54275

Vulnerability Analysis

The vulnerability resides in how aiohttp selects connections from its internal pool. When a client establishes a TLS session, the server_hostname parameter sets the SNI extension and drives certificate hostname verification. On subsequent requests to the same host, aiohttp may reuse the existing connection without re-evaluating whether the new request's server_hostname matches the one negotiated during the original handshake. As a result, a later call that should fail validation can succeed because it inherits the trust context of the pooled connection.

This behavior undermines applications that intentionally vary server_hostname per request, such as those probing virtual hosts, multi-tenant TLS endpoints, or services with strict SNI-based routing. The Exploit Prediction Scoring System (EPSS) value of 0.254% reflects limited near-term exploitation activity, but the logic flaw still weakens defense-in-depth controls that rely on SNI for tenant isolation.

Root Cause

The connection pool key does not incorporate the server_hostname argument when determining reuse eligibility. Connections are matched by destination host and port, so a pooled connection negotiated with one SNI value is returned for a later request that specifies a different SNI value. The TLS handshake, and therefore the SNI check, is never repeated for the new request.

Attack Vector

Exploitation requires an application that issues multiple HTTPS requests to the same (host, port) while supplying differing server_hostname parameters. An attacker who controls one of the target hostnames, or who can influence application logic to route a request with an unintended server_hostname, can cause the request to traverse a TLS session bound to a different identity. The attack does not require defeating TLS itself; it abuses pool reuse logic to skip the intended SNI validation step.

No public proof-of-concept or active exploitation has been reported. See the GitHub Security Advisory GHSA-4m7w-qmgq-4wj5 for the maintainers' description of the fix.

Detection Methods for CVE-2026-54275

Indicators of Compromise

  • Application logs showing successful HTTPS responses for requests whose server_hostname parameter does not match the certificate Subject Alternative Name presented during the original handshake.
  • Telemetry indicating that distinct logical tenants share a single underlying TLS socket against the same (host, port) pair.

Detection Strategies

  • Inventory Python services and CI pipelines using aiohttp, then identify versions below 3.14.1 through pip show aiohttp or software composition analysis tools.
  • Review code paths that pass a server_hostname argument to ClientSession.request, TCPConnector, or aiohttp.ClientSession.get, and flag those using a shared connector across hostnames.
  • Add unit tests that issue back-to-back requests with differing server_hostname values and assert the handshake is renegotiated.

Monitoring Recommendations

  • Capture TLS handshake counts at the egress proxy and compare against application request counts; large divergence suggests heavy connection reuse where SNI is not re-validated.
  • Alert on dependency manifests (requirements.txt, poetry.lock, Pipfile.lock) that pin aiohttp below 3.14.1.
  • Track outbound TLS sessions per process and correlate with the requested hostnames recorded in application logs.

How to Mitigate CVE-2026-54275

Immediate Actions Required

  • Upgrade aiohttp to version 3.14.1 or later across all production, staging, and developer environments.
  • Audit application code for use of per-request server_hostname and confirm reuse expectations after patching.
  • Rebuild and redeploy container images that bundle vulnerable aiohttp versions to remove cached wheels.

Patch Information

The issue is resolved in aiohttp 3.14.1. The patch ensures that the connection pool accounts for server_hostname when determining whether an existing TLS connection can be reused. Refer to the aiohttp security advisory GHSA-4m7w-qmgq-4wj5 for upstream guidance.

Workarounds

  • Use a dedicated TCPConnector or ClientSession per distinct server_hostname value to prevent cross-hostname pooling.
  • Disable connection reuse by setting force_close=True on the TCPConnector when per-request SNI integrity is required.
  • Validate the peer certificate manually within the response handler when upgrading is not immediately feasible.
bash
# Upgrade aiohttp to the patched release
pip install --upgrade "aiohttp>=3.14.1"

# Verify the installed version
python -c "import aiohttp; print(aiohttp.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.