Description
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Published: 2026-04-03
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking via cookie attribute injection
Action: Patch Immediately
AI Analysis

Impact

In Tornado prior to version 6.5.5 the method RequestHandler.set_cookie failed to validate the domain, path and samesite arguments, enabling an attacker to craft cookie attributes that alter cookie behavior. By injecting special characters an adversary could set cookies with unintended scopes or attribute values, potentially bypassing same‑site restrictions or establishing cross‑domain cookies. This weakness is classified under CWE‑159 (Improper Validation of Input) and CWE‑88 (Improper Specification of Cookie Use). The resulting impact is the ability to manipulate the session context, leading to session hijacking or privilege escalation within the application.

Affected Systems

The vulnerability affects the Tornado web framework provided by Tornadoweb. Any deployment of Tornado that is running a version earlier than 6.5.5 is susceptible. Systems that rely on RequestHandler.set_cookie to configure user sessions or cross‑site tokens are at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity vulnerability. The EPSS score of less than 1 percent suggests that exploitation of this weakness is unlikely to be widespread at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector is a remote attacker exploiting a web application that incorrectly supplies cookie arguments to set_cookie; the attacker would need to craft a response that triggers the injection path in the target server.

Generated by OpenCVE AI on April 10, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Tornado 6.5.5 or later patch immediately
  • Verify that domain, path and samesite arguments passed to RequestHandler.set_cookie are validated or originate from trusted sources
  • If an update is not possible, avoid using set_cookie with untrusted input or explicitly set safe default values for cookie attributes
  • Keep the firewall and web application monitoring configured to detect abnormal cookie behavior

Generated by OpenCVE AI on April 10, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fqwm-6jpj-5wxc Tornado has cookie attribute injection via .RequestHandler.set_cookie
Ubuntu USN Ubuntu USN USN-8198-1 Tornado vulnerabilities
Ubuntu USN Ubuntu USN USN-8198-2 Tornado vulnerabilities
History

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*

Sat, 04 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title Cookie Attribute Injection in Tornado’s set_cookie tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments
Weaknesses CWE-88
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Cookie Attribute Injection in Tornado’s set_cookie
First Time appeared Tornadoweb
Tornadoweb tornado
Vendors & Products Tornadoweb
Tornadoweb tornado

Fri, 03 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Weaknesses CWE-159
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Tornadoweb Tornado
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T13:12:16.105Z

Reserved: 2026-04-03T02:25:57.035Z

Link: CVE-2026-35536

cve-icon Vulnrichment

Updated: 2026-04-03T13:12:12.583Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T04:16:53.550

Modified: 2026-04-10T15:14:22.700

Link: CVE-2026-35536

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T02:25:57Z

Links: CVE-2026-35536 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:00Z

Weaknesses