CVE-2026-0864
Received Received - Intake
ConfigParser Multi-Line Injection via Carriage Return

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: Python Software Foundation

Description
When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-0864
EUVD
EUVD-2026-38554
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
python configparser From 3.10 (inc) to 3.15 (inc)
python python From 3.10 (inc) to 3.15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Python's configparser module when writing configuration files that contain multi-line text values with carriage return characters (\r). If an attacker controls the value being written, they can inject unexpected keys and values into the resulting configuration file. This happens because the handling of line endings is inconsistent, allowing crafted input to manipulate the file structure.

Impact Analysis

The vulnerability can lead to injection of unexpected keys and values into configuration files. This could cause the application reading these files to behave unpredictably or insecurely, potentially allowing an attacker to influence application configuration or behavior by controlling configuration file contents.

Mitigation Strategies

To mitigate the vulnerability in the configparser module related to multi-line text values with carriage return characters, update Python to a version that includes the fix normalizing line endings to LF followed by a tab character (\n\t).

This fix ensures consistent handling of line endings (CR, CRLF, LF) when writing configuration files, preventing injection of unexpected keys and values.

Applying the patch or upgrading to a Python release that includes the security fix described in the relevant commits and pull requests is the recommended immediate action.

Compliance Impact

The provided information does not specify how CVE-2026-0864 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the Python configparser module writing configuration files with multi-line text values containing carriage return characters (\r), which can lead to injection of unexpected keys and values if an attacker controls the written value.

Detection would involve inspecting configuration files generated by the configparser module for suspicious multi-line values containing carriage return characters that could cause unexpected key/value injection.

Since the vulnerability is related to how configparser writes files, you can check for presence of carriage return characters in configuration files that might have been generated by Python applications using configparser.

  • Use commands like `grep -P '\r' <config-file>` or `cat -v <config-file>` to detect carriage return characters in configuration files.
  • Review configuration files for unexpected or malformed keys and values that could indicate injection.

Additionally, auditing Python applications that use configparser to write configuration files with multi-line values can help identify if they are vulnerable or have been exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0864. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart