CVE-2026-0672 Overview
CVE-2026-0672 is an HTTP Response Splitting vulnerability in Python's http.cookies.Morsel class. When using this module, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. This vulnerability arises from insufficient validation of control characters within cookie names, values, and parameters, enabling attackers to manipulate HTTP responses.
Critical Impact
Attackers can inject arbitrary HTTP headers through malicious cookie values, potentially leading to cache poisoning, session hijacking, cross-site scripting (XSS), or other HTTP response manipulation attacks.
Affected Products
- Python CPython (http.cookies module)
Discovery Timeline
- 2026-01-20 - CVE CVE-2026-0672 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2026-0672
Vulnerability Analysis
This vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences), commonly known as HTTP Response Splitting. The http.cookies.Morsel class in Python failed to properly sanitize control characters in cookie names, values, and parameters. This oversight allows attackers to inject CRLF (Carriage Return Line Feed) sequences and other control characters into cookie data, which can then be interpreted as HTTP header delimiters when the cookie is serialized into an HTTP response.
The attack requires network access with low complexity, though it does require some preconditions to be present for successful exploitation. An authenticated attacker with low privileges can exploit this vulnerability without user interaction. While the vulnerability does not impact availability, it poses a low risk to confidentiality and a high risk to integrity, as attackers can manipulate HTTP responses.
Root Cause
The root cause lies in the insufficient input validation within the http.cookies module. Prior to the patch, the module accepted control characters (including newline characters like \012 which represents a line feed in octal notation) within cookie values. These control characters could be used to terminate HTTP headers prematurely and inject additional headers or content into the HTTP response stream.
Attack Vector
The attack vector is network-based. An attacker who can influence cookie values processed by a Python application using http.cookies.Morsel can inject control characters that break out of the cookie context. When the application generates HTTP responses containing these malicious cookies, the injected control characters are interpreted as HTTP protocol delimiters, allowing the attacker to:
- Inject additional HTTP headers
- Potentially inject response body content
- Perform cache poisoning attacks
- Enable cross-site scripting through header injection
The following code demonstrates the security patch that addresses this vulnerability:
such trickeries do not confuse it.
>>> C = cookies.SimpleCookie()
- >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=\\012;";')
+ >>> C.load('keebler="E=everybody; L=\\"Loves\\"; fudge=;";')
>>> print(C)
- Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=\012;"
+ Set-Cookie: keebler="E=everybody; L=\"Loves\"; fudge=;"
Each element of the Cookie also supports all of the RFC 2109
Cookie attributes. Here's an example which sets the Path
Source: GitHub Commit Overview
The patch removes the ability to include control characters like \012 (line feed) in cookie values, preventing HTTP header injection.
Detection Methods for CVE-2026-0672
Indicators of Compromise
- Unusual control characters or escape sequences (e.g., \012, \015, %0d, %0a) in cookie values within application logs
- HTTP response anomalies showing unexpected headers following Set-Cookie directives
- Web application firewall logs indicating CRLF injection attempts in cookie parameters
Detection Strategies
- Deploy web application firewall rules to detect and block CRLF sequences in cookie values
- Implement application-level logging to monitor for control characters in user-supplied cookie data
- Use static code analysis tools to identify usage of http.cookies.Morsel with unsanitized user input
- Enable HTTP response inspection to detect malformed or unexpected header structures
Monitoring Recommendations
- Monitor web server access logs for requests containing encoded control characters (%0d%0a, %0a, %0d)
- Implement real-time alerting for HTTP response splitting patterns in outbound traffic
- Review application dependencies to track Python version and ensure patched versions are deployed
How to Mitigate CVE-2026-0672
Immediate Actions Required
- Update Python to the latest patched version that includes the security fix for http.cookies
- Review all code paths where user input is used to set cookie values and implement additional sanitization
- Deploy web application firewall rules to block requests containing control characters in cookie-related parameters
- Audit existing applications for potential exploitation of this vulnerability
Patch Information
The Python Security Team has released a patch that rejects all control characters within cookie names, values, and parameters. The fix is available in commit 95746b3a13a985787ef53b977129041971ed7f70. For detailed information about the patch, refer to the GitHub Pull Request Review and the Python Security Announcement Thread.
Workarounds
- Implement input validation to strip or reject control characters from all user-supplied data before passing to http.cookies
- Use a wrapper function to sanitize cookie values by removing characters outside the printable ASCII range
- Consider using alternative cookie handling libraries that enforce strict validation
- Apply network-level filtering to detect and block HTTP response splitting patterns
# Example: Check Python version and update
python3 --version
# Update Python to the latest patched version
# For systems using pyenv:
pyenv install 3.x.x # Install patched version
pyenv global 3.x.x # Set as default
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
