CVE-2026-3644
Analyzed Analyzed - Analysis Complete
Control Character Injection in Python http.cookies Morsel Component

Publication date: 2026-03-16

Last updated on: 2026-06-04

Assigner: Python Software Foundation

Description
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-06-04
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3644
EUVD
EUVD-2026-12484
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
python python 3.15.0
python python 3.15.0
python python to 3.13.13 (exc)
python python From 3.14.0 (inc) to 3.14.4 (exc)
python python 3.15.0
python python 3.15.0
python python 3.15.0
python python 3.15.0
python python 3.15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability, CVE-2026-3644, exists in Python's http.cookies module. It is caused by incomplete input validation that allows control characters to bypass rejection in the Morsel.update() method, the |= operator, and unpickling paths. Additionally, the BaseCookie.js_output() function lacked proper output validation. These flaws mean that control characters can be injected into cookie handling processes, which should have been prevented."}] [2, 4]

Impact Analysis

[{'type': 'paragraph', 'content': "The vulnerability can allow malicious input containing control characters to be processed in cookie values. This can lead to security risks such as cookie injection or manipulation, potentially compromising the integrity and security of web applications that rely on Python's http.cookies module for cookie handling."}] [2, 4]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate CVE-2026-3644, you should update your Python environment to a version where the vulnerability is fixed. The fix has been backported to Python versions 3.10 through 3.14.

The vulnerability involves improper handling of control characters in the http.cookies module, specifically in the Morsel.update() method and BaseCookie.js_output() function. Applying the official patches or upgrading to a patched Python release will ensure control characters are properly rejected, preventing potential security risks related to cookie injection or manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart