Description
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
Published: 2026-01-20
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Header Injection via http.cookies.Morsel
Action: Apply Patch
AI Analysis

Impact

The vulnerability in http.cookies.Morsel allows an attacker to insert arbitrary HTTP header lines by including control characters in cookie names, values, or parameters. This can lead to HTTP response splitting, header injection, or cross‑site scripting via crafted headers. The flaw stems from insufficient validation of cookie components, classified as CWE‑93.

Affected Systems

Python Software Foundation CPython is affected. Any CPython installation that uses the unpatched http.cookies.Morsel implementation and where application code allows user‑controlled cookie values is vulnerable. The specific version range is not listed, but the commit history indicates the issue existed before the patch was applied.

Risk and Exploitability

The CVSS score of 6.0 indicates medium severity, while the EPSS of less than 1% suggests a low probability of exploitation at the moment. The vulnerability has not been listed in the CISA KEV catalog. An attacker would need to control cookie values, which is typically feasible via a web application that trusts client input. The mitigation already rejects control characters, meaning the risk can be reduced through upgrading or input filtering.

Generated by OpenCVE AI on April 16, 2026 at 18:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest CPython release that contains the http.cookies.Morsel patch.
  • Sanitize cookie names, values, and parameters in application code to reject control characters before passing them to http.cookies.Morsel.
  • Review the application code to ensure that no untrusted user input is used to construct HTTP response headers, and apply input validation where necessary.

Generated by OpenCVE AI on April 16, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4455-1 python3.9 security update
Ubuntu USN Ubuntu USN USN-8018-1 Python vulnerabilities
Ubuntu USN Ubuntu USN USN-8018-3 Python 2.7 vulnerabilities
History

Mon, 26 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
References

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N'}

threat_severity

Moderate

Wed, 21 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python cpython
Vendors & Products Python
Python cpython

Tue, 20 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description User-controlled cookie values and parameters can allow injecting HTTP headers. Fix rejects all control characters within cookie names, values, and parameters. When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
References

Tue, 20 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description User-controlled cookie values and parameters can allow injecting HTTP headers. Fix rejects all control characters within cookie names, values, and parameters.
Title Header injection in http.cookies.Morsel
Weaknesses CWE-93
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-03-03T14:43:20.490Z

Reserved: 2026-01-07T17:08:45.326Z

Link: CVE-2026-0672

cve-icon Vulnrichment

Updated: 2026-01-21T15:48:28.463Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T22:15:52.680

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0672

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T21:52:33Z

Links: CVE-2026-0672 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses