Web Framework Vulnerability in Tornado by Tornado Web
CVE-2026-49853

7.7HIGH

Key Information:

Vendor

Tornadoweb

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-49853?

The Tornado web framework had an issue where the SimpleAsyncHTTPClient function performed shallow copies of redirected requests. This bug meant that sensitive information, such as Authorization headers and authentication credentials (auth_username, auth_password, and auth_mode), were not properly cleared during redirects, particularly when the scheme, host, or port changed. This oversight could potentially allow malicious actors to intercept these sensitive data points if a redirect occurred. The issue has been resolved in version 6.5.6, emphasizing the importance of updating to the latest version to mitigate these security risks.

Affected Version(s)

tornado < 6.5.6

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.