Configuration File Vulnerability in Python's Configparser Module
CVE-2026-0864

4.1MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
23 June 2026

What is CVE-2026-0864?

The configparser module in Python can be exploited when handling multi-line text values with carriage return characters. If an attacker can manipulate the values written to configuration files, it may lead to unexpected keys and values being injected. This vulnerability poses a significant risk as it allows for potential configuration tampering, which can affect the behavior and security of the application utilizing these configuration files.

Affected Version(s)

CPython 0 < 3.15.0

References

https://github.com/python/cpython/pull/151559
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory
https://github.com/python/cpython/issues/143927
issue-tracking

CVSS V4

Score:
4.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

D0n9 (https://github.com/D0n9)
Petr Viktorin (https://github.com/encukou)
Seth Larson (https://github.com/sethmlarson)
.