CVE-2026-0864 - Vulnerability Details

- Configuration Injection via Carriage Return (\r) in write() method

Description

When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and values if the
attacker controls the written value.

Published: 2026-06-23

Score: 4.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

When CPython’s configparser module writes configuration files containing multi‑line text that include carriage return characters (\r), the written file can be injected with unexpected keys and values if an attacker supplies the value. This vulnerability essentially allows the attacker to alter configuration data that the target application will later read, potentially changing application settings, disabling security controls, or redirecting logic paths. The weakness is an example of configuration injection (CWE‑74 and CWE‑93).

Affected Systems

All CPython implementations that use the standard library’s configparser.write routine to generate configuration files containing values with carriage return characters are potentially affected. No specific CPython release is isolated in the advisory, so all current and recent releases that have not yet received the patch commit 5858e42c5 are considered vulnerable.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate severity, and the vulnerability is not listed in CISA’s KEV catalog. No EPSS metric is available, but the likelihood of exploitation is limited to environments where an attacker can influence the data written to a configuration file—typically local or application‑level scenarios. No publicly known exploits have been reported, suggesting the exploitability remains low and dependent on trusted input being written to disk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Python Software Foundation

CPython

unaffected

Version	Status	Constraints
`0`	affected	< 3.15.0

No data.

Vendor Product Confidence Versions

Python

Cpython

95%

Version	Status	Scheme	Platform
`[0,3.15.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the CPython patch commit 5858e42c5 to fix the configuration injection bug before a formal release is available.
Sanitize any configuration values containing carriage return characters before passing them to configparser.write, ensuring no CR characters are written to the file.
Audit the generated configuration files for unexpected or injected keys and values, especially those that influence security‑critical settings.

Generated by OpenCVE AI on June 24, 2026 at 13:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00127.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/python/cpython/commit/0adb386f6e68eb2e73d32e19f235d012df009528
https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f
https://github.com/python/cpython/commit/71f2e02a52d47417a6fd69f456346cd8aa7aca98
https://github.com/python/cpython/commit/aaf850fd333cd89e9aada03d92aaa788a6cb1bb8
https://github.com/python/cpython/issues/143927
https://github.com/python/cpython/pull/151559
https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/
https://nvd.nist.gov/vuln/detail/CVE-2026-0864
https://www.cve.org/CVERecord?id=CVE-2026-0864

History

Wed, 24 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/0adb386f6e68eb2e73d32e19f235d012df009528 https://github.com/python/cpython/commit/71f2e02a52d47417a6fd69f456346cd8aa7aca98 https://github.com/python/cpython/commit/aaf850fd333cd89e9aada03d92aaa788a6cb1bb8

Wed, 24 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-93
References		https://nvd.nist.gov/vuln/detail/CVE-2026-0864 https://www.cve.org/CVERecord?id=CVE-2026-0864
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}` threat_severity `Moderate`

Tue, 23 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python Python cpython
Vendors & Products		Python Python cpython

Tue, 23 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-74
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.
Title		Configuration Injection via Carriage Return (\r) in write() method
References		https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f https://github.com/python/cpython/issues/143927 https://github.com/python/cpython/pull/151559 https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/
Metrics		cvssV4_0 `{'score': 4.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Python Cpython

MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2026-06-23T17:42:01.947Z

Updated: 2026-06-24T12:55:42.471Z

Reserved: 2026-01-12T16:07:55.453Z

Link: CVE-2026-0864

Vulnrichment

Updated: 2026-06-23T18:34:40.390Z

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-23T17:42:01Z

Links: CVE-2026-0864 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-24T10:30:14Z

Weaknesses

CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object