CVE-2026-3644 - Vulnerability Details

Description

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Published: 2026-03-16

Score: 6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from an incomplete implementation of control‑character validation within Python’s http.cookies module. Specifically, the Morsel.update() method, the bitwise OR assignment operator (|=), and the unpickling process were not patched to reject control characters, allowing them to bypass the intended checks. Additionally, BaseCookie.js_output() omitted the output validation present in BaseCookie.output(), creating another avenue for malicious characters to be processed by the cookie handling logic. This flaw can enable an attacker to inject arbitrary cookie values or manipulate HTTP headers, potentially leading to header injection, cookie poisoning, or other injection‑related attacks.

Affected Systems

The affected vendor is the Python Software Foundation, product CPython. Specific version information was not included in the CVE data, so affected releases cannot be listed precisely.

Risk and Exploitability

The CVSS score of 6 indicates a medium severity impact. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that broad, automated exploitation is not yet documented. The likely attack vector is remote, as crafted HTTP requests containing control characters can be sent to any Python application that uses the http.cookies module to parse incoming cookies. If the application parses user‑supplied cookies without prior validation, an attacker could potentially alter HTTP response headers or inject additional cookies, leading to information disclosure or session hijacking. The absence of detailed exploitation proofs limits the assessment, but the medium score reflects a non‑zero risk when the flaw is present in production code.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Python Software Foundation

CPython

unaffected

Version	Status	Constraints
`0`	affected	< 3.15.0

No data.

Vendor Product Confidence Versions

Python

Cpython

100%

Version	Status	Scheme	Platform
`[0,3.15.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade CPython to the latest release containing the complete control‑character validation fix for http.cookies, as provided in the linked commit history.
Validate or sanitize all cookie input before passing it to http.cookies.Morsel or any related functions to eliminate any remaining control characters.
If upgrading immediately is not possible, consider implementing a temporary check that rejects cookie values containing non‑printable characters or other disallowed patterns.
Monitor application logs for anomalous cookie values or repeated header injection attempts, and apply additional defensive coding practices such as using parameterized headers and enforcing strict content‑type validation.

Generated by OpenCVE AI on March 17, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00113.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4
https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd
https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd
https://github.com/python/cpython/issues/145599
https://github.com/python/cpython/pull/145600
https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/
https://nvd.nist.gov/vuln/detail/CVE-2026-3644
https://www.cve.org/CVERecord?id=CVE-2026-3644

History

Tue, 17 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python Python cpython
Vendors & Products		Python Python cpython

Tue, 17 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-791
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3644 https://www.cve.org/CVERecord?id=CVE-2026-3644
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}` threat_severity `Moderate`

Mon, 16 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-116 CWE-20
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd

Mon, 16 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), \|= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
Title		Incomplete control character validation in http.cookies
References		https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4 https://github.com/python/cpython/issues/145599 https://github.com/python/cpython/pull/145600 https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/
Metrics		cvssV4_0 `{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Python Cpython

MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2026-03-16T17:37:31.344Z

Updated: 2026-03-16T18:25:55.021Z

Reserved: 2026-03-06T16:13:09.289Z

Link: CVE-2026-3644

Vulnrichment

Updated: 2026-03-16T18:24:32.300Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T18:16:09.907

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-3644

Redhat

Severity : Moderate

Publid Date: 2026-03-16T17:37:31Z

Links: CVE-2026-3644 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-24T10:50:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object