CVE-2026-0672
Unknown Unknown - Not Provided
HTTP Header Injection via http.cookies.Morsel in Python

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: Python Software Foundation

Description
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0672
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
python cpython 3.10
python cpython 3.11
python cpython 3.12
python cpython 3.13
python cpython 3.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Python http.cookies.Morsel module, where user-controlled cookie values and parameters can be used to inject HTTP headers into messages. This happens because control characters were not properly rejected in cookie names, values, and parameters. The patch fixes this by rejecting all control characters in these fields.

Impact Analysis

This vulnerability can allow an attacker to inject arbitrary HTTP headers via cookie values or parameters, potentially leading to security issues such as HTTP response splitting, web cache poisoning, or other attacks that manipulate HTTP headers. This can compromise the integrity and security of web communications.

Mitigation Strategies

Apply the patch that rejects all control characters within cookie names, values, and parameters in the http.cookies.Morsel module to prevent HTTP header injection.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0672. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart