Executive Summary

CVE-2026-1299 is a security vulnerability in Python's email module, specifically in the BytesGenerator class that serializes email messages. The issue occurs because BytesGenerator did not properly quote newline characters in email headers when serializing, which could allow header injection attacks. This happens when using the LiteralHeader class to write headers that do not follow standard email folding rules. The vulnerability allows attackers to inject or manipulate email headers by exploiting improperly folded headers. The fix involves BytesGenerator rejecting headers that are unsafely folded or improperly delimited, preventing unsafe header serialization. [1, 2, 3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, update your Python environment to a version where the fix has been applied (versions 3.11, 3.12, 3.13, 3.14 and later as backported). The fix enforces verification of email headers in the BytesGenerator class, rejecting unsafe headers that could lead to header injection. Additionally, ensure that the email.policy.Policy attribute verify_generated_headers is enabled (set to True) to enforce these safety checks. Avoid using LiteralHeader or any method that writes headers without respecting email folding rules. If updating is not immediately possible, review and sanitize email headers in your application to prevent unsafe newlines or improper folding before serialization. [2, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to perform header injection attacks when your Python application serializes email messages using the vulnerable BytesGenerator class with improperly folded headers. Header injection can lead to manipulation of email headers, potentially enabling spoofing, phishing, or other malicious activities that exploit email processing. By injecting malicious headers, attackers might bypass security controls or cause unintended behavior in email handling systems. [1, 2, 3, 4]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring or testing Python applications that use the email module's BytesGenerator class for serializing email headers, especially when using LiteralHeader to write headers. Detection involves checking for improperly folded or unsafely delimited email headers that could lead to header injection. Since the vulnerability is in the serialization process, you can test by attempting to serialize email headers with embedded newlines or unsafe folding and observing if the BytesGenerator raises a HeaderWriteError. There are no specific network commands provided, but you can write Python test scripts that create email messages with unsafe headers and attempt serialization to detect vulnerable versions. For example, running a Python script that uses BytesGenerator to serialize headers with embedded newlines and checking for exceptions can help detect the vulnerability. [1, 4]

Useful 0 Not Useful 0