Skip to content

TLS Server Hostname Override Is Ignored When Reusing HTTPS Connections

Low
Dreamsorcerer published GHSA-4m7w-qmgq-4wj5 Jun 8, 2026

Package

pip aiohttp (pip)

Affected versions

<=3.14.0

Patched versions

3.14.1

Description

Summary

The server_hostname TLS SNI check can be bypassed when an existing connection is reused.

Impact

If an application makes multiple requests to the same domain, but with different per-request server_hostname parameters, then the later calls may succeed by reusing the existing connection when they should have been rejected due to the TLS SNI check.

Workaround

Disable keep_alive if you need to change the server_hostname check between requests.


Patch: 0ca2b6c

Severity

Low

CVE ID

CVE-2026-54275

Weaknesses

No CWEs

Credits