Description
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Published: 2026-04-03
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Cookie attribute injection that may allow an attacker to manipulate domain, path, or SameSite settings, potentially compromising session integrity
Action: Patch immediately
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary cookie attributes when the set_cookie method of Tornado’s RequestHandler receives unvalidated domain, path, or samesite values. This can enable manipulation of session cookies, facilitating session fixation, cookie hijacking, or cross‑site request forgery by setting attributes that change how browsers handle the cookie. The weakness corresponds to CWE‑159, which involves unexpected or unsafe handling of input data. The impact is limited to the integrity and confidentiality of user sessions, as the attacker can influence cookie behavior without executing arbitrary code.

Affected Systems

All versions of Tornado older than 6.5.5 are affected. The vulnerability exists in the Tornado web framework itself, where the set_cookie method does not sanitize input for cookie attributes. Users deploying Tornado 6.5.5 or newer are not vulnerable.

Risk and Exploitability

With a CVSS score of 7.2, the issue is classified as high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack path is inferred to be remote, via crafted HTTP requests that invoke the set_cookie method. Although there is no direct code execution, the ability to alter cookie characteristics poses a significant risk to session management and may be leveraged in broader attacks such as session fixation or CSRF. Institutions should treat this as a high‑priority security concern.

Generated by OpenCVE AI on April 3, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tornado to version 6.5.5 or later immediately

Generated by OpenCVE AI on April 3, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fqwm-6jpj-5wxc Tornado has cookie attribute injection via .RequestHandler.set_cookie
History

Sat, 04 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Title Cookie Attribute Injection in Tornado’s set_cookie tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments
Weaknesses CWE-88
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Cookie Attribute Injection in Tornado’s set_cookie
First Time appeared Tornadoweb
Tornadoweb tornado
Vendors & Products Tornadoweb
Tornadoweb tornado

Fri, 03 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Weaknesses CWE-159
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Tornadoweb Tornado
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T13:12:16.105Z

Reserved: 2026-04-03T02:25:57.035Z

Link: CVE-2026-35536

cve-icon Vulnrichment

Updated: 2026-04-03T13:12:12.583Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T04:16:53.550

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35536

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T02:25:57Z

Links: CVE-2026-35536 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:59Z

Weaknesses