Base64 Decoding Issue in Python's Standard Library
CVE-2026-3446

6MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
10 April 2026

What is CVE-2026-3446?

This vulnerability arises when using base64.b64decode() and similar functions in Python, where the decoding operation fails to process data beyond the first padded quad. This behavior can lead to unintended acceptance of malformed data that may be handled inconsistently by other implementations, thereby introducing potential security risks. Developers are advised to utilize the 'validate=True' option to ensure stricter compliance when decoding base64 data.

Affected Version(s)

CPython 0 < 3.13.13

CPython 3.14.0 < 3.14.4

CPython 3.15.0a1 < 3.15.0a8

References

https://github.com/python/cpython/pull/145267
patch
https://github.com/python/cpython/issues/145264
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Serhiy Storchaka
.