Injection Flaw in CPython HTTP Header Processing
CVE-2026-0865

5.9MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
20 January 2026

What is CVE-2026-0865?

A vulnerability in CPython allows for the injection of malicious HTTP headers due to user-controlled header names and values containing newline characters. This security flaw can compromise the integrity of HTTP communication, enabling attackers to manipulate requests and responses in unexpected ways. Developers and system administrators are urged to ensure their applications are updated with the latest patches to mitigate this risk.

Affected Version(s)

CPython 0 < 3.10.20

CPython 3.11.0 < 3.11.15

CPython 3.12.0 < 3.12.13

References

https://github.com/python/cpython/pull/143917
patch
https://github.com/python/cpython/issues/143916
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.