🔖 Release version 0.136.3

📝 Update release notes
[skip ci]
2026-05-26 09:21:01 -04:00 · 2026-05-23 20:51:45 +02:00 · 2026-05-23 18:40:42 +00:00 · 2026-05-23 18:35:05 +00:00
4 changed files with 46 additions and 1 deletions
--- a/docs/en/docs/release-notes.md
+++ b/docs/en/docs/release-notes.md
@@ -7,6 +7,12 @@ hide:

 ## Latest Changes

+## 0.136.3 (2026-05-23)
+
+### Refactors
+
+* ♻️ Do not accept underscore headers when using `convert_underscores=True` (the default). PR [#15589](https://github.com/fastapi/fastapi/pull/15589) by [@tiangolo](https://github.com/tiangolo).
+
 ## 0.136.2 (2026-05-23)

 ### Refactors
--- a/fastapi/init.py
+++ b/fastapi/init.py
@@ -1,6 +1,6 @@
 """FastAPI framework, high performance, easy to learn, fast to code, ready for production"""

-__version__ = "0.136.2"
+__version__ = "0.136.3"

 from starlette import status as status

--- a/fastapi/dependencies/utils.py
+++ b/fastapi/dependencies/utils.py
@@ -826,6 +826,10 @@ def request_params_to_args(
        if value is not None:
            params_to_process[get_validation_alias(field)] = value
        processed_keys.add(alias or get_validation_alias(field))
+        # For headers with convert_underscores=True, mark both the converted
+        # header name and the original field alias as processed to avoid
+        # accepting the original alias as an extra header.
+        processed_keys.add(get_validation_alias(field))

    for key in received_params.keys():
        if key not in processed_keys:
--- a/tests/test_query_cookie_header_model_extra_params.py
+++ b/tests/test_query_cookie_header_model_extra_params.py
@@ -11,6 +11,10 @@ class Model(BaseModel):
    model_config = {"extra": "allow"}


+class AuthHeaders(BaseModel):
+    x_user_id: str
+
+
@app.get("/query")
 async def query_model_with_extra(data: Model = Query()):
    return data
@@ -26,6 +30,11 @@ async def cookies_model_with_extra(data: Model = Cookie()):
    return data


+@app.get("/header-requires-hyphen")
+async def header_model_requires_hyphen(data: AuthHeaders = Header()):
+    return data
+
+
 def test_query_pass_extra_list():
    client = TestClient(app)
    resp = client.get(
@@ -91,6 +100,32 @@ def test_header_pass_extra_single():
    assert resp_json["param2"] == "456"


+def test_header_model_prefers_hyphenated_header_with_convert_underscores():
+    client = TestClient(app)
+
+    resp = client.get(
+        "/header-requires-hyphen",
+        headers=[
+            ("x-user-id", "hyphenated-value"),
+            ("x_user_id", "underscore-value"),
+        ],
+    )
+
+    assert resp.status_code == 200
+    assert resp.json() == {"x_user_id": "hyphenated-value"}
+
+
+def test_header_model_rejects_underscore_header_with_convert_underscores():
+    client = TestClient(app)
+
+    resp = client.get(
+        "/header-requires-hyphen", headers={"x_user_id": "underscore-value"}
+    )
+
+    assert resp.status_code == 422
+    assert resp.json()["detail"][0]["loc"] == ["header", "x_user_id"]
+
+
 def test_cookie_pass_extra_list():
    client = TestClient(app)
    client.cookies = [
Author	SHA1	Message	Date
Sebastián Ramírez	8206485753	🔖 Release version 0.136.3	2026-05-23 20:51:45 +02:00
github-actions[bot]	c910e0139f	📝 Update release notes [skip ci]	2026-05-23 18:40:42 +00:00
Sebastián Ramírez	063b5bf582	♻️ Do not accept underscore headers when using `convert_underscores=True` (the default) (#15589 )	2026-05-23 18:35:05 +00:00