Injection Vulnerability in Python's HTTP Cookie Handling
CVE-2026-0672

6MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
20 January 2026

What is CVE-2026-0672?

The vulnerability arises in Python's http.cookies.Morsel, where improperly validated user-controlled cookie values and parameters can lead to HTTP header injection. This flaw allows malicious users to manipulate HTTP messages through crafted cookies. A recent patch addresses this issue by rejecting all control characters within cookie names, values, and parameters, thereby enhancing the security of applications relying on this component.

Affected Version(s)

CPython 0 < 3.10.20

CPython 3.11.0 < 3.11.15

CPython 3.12.0 < 3.12.13

References

https://github.com/python/cpython/pull/143920
patch
https://github.com/python/cpython/issues/143919
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.