CVE-2026-0865 - Vulnerability Details

- wsgiref.headers.Headers allows header newline injection

Description

User-controlled header names and values containing newlines can allow injecting HTTP headers.

Published: 2026-01-20

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

User-controlled HTTP header names or values that include newline characters can be used to inject additional headers into the response. This header injection vulnerability may enable attackers to modify or add HTTP headers, potentially leading to HTTP response splitting, cache poisoning, or application logic manipulation. The flaw originates from the lack of sanitization in Python's wsgiref.headers module and is classified as a Header Injection weakness (CWE‑74).

Affected Systems

The vulnerability affects the CPython implementation of the Python Software Foundation. Any deployment that employs the wsgiref.headers class without the patch—primarily Python web servers or applications that use the wsgiref module—is potentially impacted. Affected version details were not disclosed in the provided data.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate impact, while an EPSS score of less than 1% suggests a low exploitation probability at this time. The issue does not appear in the CISA KEV catalog, implying no confirmed widespread exploitation. The likely attack vector is remote, via an HTTP request constructed by an attacker that includes newlines in header names or values processed by wsgiref.headers. An attacker could construct such a request to influence the server's response headers before application logic is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Python Software Foundation

CPython

unaffected

Version	Status	Constraints
`0`	affected	< 3.10.20
`3.11.0`	affected	< 3.11.15
`3.12.0`	affected	< 3.12.13
`3.13.0`	affected	< 3.13.12
`3.14.0`	affected	< 3.14.3
`3.15.0a1`	affected	< 3.15.0a6

No data.

Vendor	Product	Confidence	Versions
Python	Cpython	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade CPython to the latest stable release that incorporates the wsgiref header sanitization change.
If an immediate upgrade is not possible, validate and sanitize all incoming HTTP headers for newline characters before they reach the wsgiref module, or handle headers at the application layer to prevent injection.
Consider disabling or replacing the use of wsgiref.headers in production code, or using a third-party WSGI server with stricter header validation.

Generated by OpenCVE AI on April 16, 2026 at 18:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4455-1	python3.9 security update
Ubuntu USN	USN-8018-1	Python vulnerabilities
Ubuntu USN	USN-8018-2	Python regression
Ubuntu USN	USN-8018-3	Python 2.7 vulnerabilities

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00132.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58
https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510
https://github.com/python/cpython/commit/286e3ac39984fe85a17f4ab39c64d382137aae5f
https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2
https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5
https://github.com/python/cpython/commit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6
https://github.com/python/cpython/commit/83ecd18779f286d872f68bfce175651e407d9fff
https://github.com/python/cpython/commit/8bb044d29310bb05d15086cdaa8bf64867d61a97
https://github.com/python/cpython/commit/bfba660085767f8c2d582134e9d511a85eda04cf
https://github.com/python/cpython/commit/c592227ffb48679af9845a45dbb0875d975bb219
https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995
https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211
https://github.com/python/cpython/issues/143916
https://github.com/python/cpython/pull/143917
https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/
https://nvd.nist.gov/vuln/detail/CVE-2026-0865
https://www.cve.org/CVERecord?id=CVE-2026-0865

History

Tue, 03 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/286e3ac39984fe85a17f4ab39c64d382137aae5f https://github.com/python/cpython/commit/8bb044d29310bb05d15086cdaa8bf64867d61a97 https://github.com/python/cpython/commit/c592227ffb48679af9845a45dbb0875d975bb219

Mon, 23 Feb 2026 15:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/83ecd18779f286d872f68bfce175651e407d9fff https://github.com/python/cpython/commit/bfba660085767f8c2d582134e9d511a85eda04cf

Fri, 13 Feb 2026 16:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6

Thu, 22 Jan 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-0865 https://www.cve.org/CVERecord?id=CVE-2026-0865
Metrics	threat_severity `None`	cvssV3_1 `{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N'}` threat_severity `Moderate`

Wed, 21 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 21 Jan 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python Python cpython
Vendors & Products		Python Python cpython

Tue, 20 Jan 2026 23:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2 https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995

Tue, 20 Jan 2026 22:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58 https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510 https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5 https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211

Tue, 20 Jan 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		User-controlled header names and values containing newlines can allow injecting HTTP headers.
Title		wsgiref.headers.Headers allows header newline injection
Weaknesses		CWE-74
References		https://github.com/python/cpython/issues/143916 https://github.com/python/cpython/pull/143917 https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/
Metrics		cvssV4_0 `{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Python Cpython

MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2026-01-20T21:26:15.274Z

Updated: 2026-03-03T14:43:30.596Z

Reserved: 2026-01-12T16:07:56.781Z

Link: CVE-2026-0865

Vulnrichment

Updated: 2026-01-21T15:48:38.269Z

NVD

Status : Deferred

Published: 2026-01-20T22:15:52.800

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0865

Redhat

Severity : Moderate

Publid Date: 2026-01-20T21:26:15Z

Links: CVE-2026-0865 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses

CWE-74

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object