CVE-2026-1299
Email Header Injection via Improper Newline Handling in Python BytesGenerator
Publication date: 2026-01-23
Last updated on: 2026-02-13
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | cpython | 3.10 |
| python | cpython | 3.11 |
| python | cpython | 3.12 |
| python | cpython | 3.13 |
| python | cpython | 3.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1299 is a security vulnerability in Python's email module, specifically in the BytesGenerator class that serializes email messages. The issue occurs because BytesGenerator did not properly quote newline characters in email headers when serializing, which could allow header injection attacks. This happens when using the LiteralHeader class to write headers that do not follow standard email folding rules. The vulnerability allows attackers to inject or manipulate email headers by exploiting improperly folded headers. The fix involves BytesGenerator rejecting headers that are unsafely folded or improperly delimited, preventing unsafe header serialization. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform header injection attacks when your Python application serializes email messages using the vulnerable BytesGenerator class with improperly folded headers. Header injection can lead to manipulation of email headers, potentially enabling spoofing, phishing, or other malicious activities that exploit email processing. By injecting malicious headers, attackers might bypass security controls or cause unintended behavior in email handling systems. [1, 2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring or testing Python applications that use the email module's BytesGenerator class for serializing email headers, especially when using LiteralHeader to write headers. Detection involves checking for improperly folded or unsafely delimited email headers that could lead to header injection. Since the vulnerability is in the serialization process, you can test by attempting to serialize email headers with embedded newlines or unsafe folding and observing if the BytesGenerator raises a HeaderWriteError. There are no specific network commands provided, but you can write Python test scripts that create email messages with unsafe headers and attempt serialization to detect vulnerable versions. For example, running a Python script that uses BytesGenerator to serialize headers with embedded newlines and checking for exceptions can help detect the vulnerability. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update your Python environment to a version where the fix has been applied (versions 3.11, 3.12, 3.13, 3.14 and later as backported). The fix enforces verification of email headers in the BytesGenerator class, rejecting unsafe headers that could lead to header injection. Additionally, ensure that the email.policy.Policy attribute verify_generated_headers is enabled (set to True) to enforce these safety checks. Avoid using LiteralHeader or any method that writes headers without respecting email folding rules. If updating is not immediately possible, review and sanitize email headers in your application to prevent unsafe newlines or improper folding before serialization. [2, 4]