CVE-2026-3644
Control Character Injection in Python http.cookies Morsel Component
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | python | * |
| python | cpython | 3.10 |
| python | cpython | 3.11 |
| python | cpython | 3.12 |
| python | cpython | 3.13 |
| python | cpython | 3.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability, CVE-2026-3644, exists in Python's http.cookies module. It is caused by incomplete input validation that allows control characters to bypass rejection in the Morsel.update() method, the |= operator, and unpickling paths. Additionally, the BaseCookie.js_output() function lacked proper output validation. These flaws mean that control characters can be injected into cookie handling processes, which should have been prevented."}] [2, 4]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "The vulnerability can allow malicious input containing control characters to be processed in cookie values. This can lead to security risks such as cookie injection or manipulation, potentially compromising the integrity and security of web applications that rely on Python's http.cookies module for cookie handling."}] [2, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-3644, you should update your Python environment to a version where the vulnerability is fixed. The fix has been backported to Python versions 3.10 through 3.14.
The vulnerability involves improper handling of control characters in the http.cookies module, specifically in the Morsel.update() method and BaseCookie.js_output() function. Applying the official patches or upgrading to a patched Python release will ensure control characters are properly rejected, preventing potential security risks related to cookie injection or manipulation.