Description
Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe. This vulnerability is fixed in 2.6.1.
Published: 2026-05-11
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Microdot's Response.set_cookie() method, which fails to sanitize string arguments containing the CRLF sequence. An attacker can use this flaw to perform header injection, leading to HTTP response splitting and the ability to inject arbitrary cookie values into the response. The injected headers are not executed as code on the server side, but they can manipulate client‑side processing of the response and potentially facilitate session fixation or other side‑channel attacks.

Affected Systems

Microdot, a minimal Python web framework by Miguel Grinberg, is affected in all releases older than 2.6.1. Users running any unsupported or legacy version prior to the 2.6.1 release are potentially vulnerable.

Risk and Exploitability

The CVSS score is 3.7, indicating a low severity level. Exploitation requires that the attacker first compromise the client—such as through an independent XSS vulnerability—so that the malicious payload is sent to the server and stored in a cookie. The attack impacts only the compromised client; other users of the same application remain unaffected. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. The overall risk is considered minimal, but the vulnerability could enable subtle response manipulation if the client is already subverted.

Generated by OpenCVE AI on May 11, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Microdot to version 2.6.1 or later, which sanitizes cookie input
  • If upgrading is not immediately possible, sanitize any values passed to set_cookie() by removing CR and LF characters before assignment
  • Close any separate client‑side XSS vectors that could be used to inject data into the cookie, for example by applying strict content security policies

Generated by OpenCVE AI on May 11, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7wc8-wvc4-m498 Microdot has HTTP response splitting in Response.set_cookie()
History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Miguelgrinberg
Miguelgrinberg microdot
Vendors & Products Miguelgrinberg
Miguelgrinberg microdot

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example through an independent XSS attack), so that it can send malicious information that is destined to be stored in a cookie by the server on behalf of the victim. An attacker that infiltrates one client can only orchestrate a header injection attack for that client, all other clients that were not infiltrated are safe. This vulnerability is fixed in 2.6.1.
Title Microdot: HTTP response splitting in Response.set_cookie()
Weaknesses CWE-113
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Miguelgrinberg Microdot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:04:26.708Z

Reserved: 2026-04-30T18:49:06.711Z

Link: CVE-2026-42874

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T20:25:43.973

Modified: 2026-05-11T20:25:43.973

Link: CVE-2026-42874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:26Z

Weaknesses