CVE-2026-0672
Severity CVSS v4.0:
MEDIUM
Type:
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Publication date:
20/01/2026
Last modified:
26/01/2026
Description
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
Impact
Base Score 4.0
6.00
Severity 4.0
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172
- https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440
- https://github.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d
- https://github.com/python/cpython/commit/918387e4912d12ffc166c8f2a38df92b6ec756ca
- https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70
- https://github.com/python/cpython/commit/b1869ff648bbee0717221d09e6deff46617f3e85
- https://github.com/python/cpython/issues/143919
- https://github.com/python/cpython/pull/143920
- https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/