Skip to main content
CVE Vulnerability Database

CVE-2026-0864: Python configparser Injection Vulnerability

CVE-2026-0864 is a configuration injection flaw in Python's configparser module that allows attackers to inject malicious keys and values through carriage return characters. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-0864 Overview

CVE-2026-0864 is an injection vulnerability in the Python configparser standard library module. When configparser writes configuration files containing multi-line text values, carriage return characters (\r) embedded in attacker-controlled values are not normalized. This allows an attacker who controls a written value to inject unexpected keys and values into the resulting INI-style configuration file. The flaw is tracked under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component. Exploitation requires local access, high privileges, and user interaction, limiting practical impact but creating risk in automation pipelines that round-trip user-supplied data through configuration files.

Critical Impact

Attackers who control a written configuration value can inject arbitrary keys and values, potentially altering application behavior on the next configuration read.

Affected Products

  • CPython configparser module in versions prior to the GH-143927 fix
  • Python 3.14 branch (patched via commit 71f2e02a)
  • Python 3.15 branch (patched via commit 0adb386f)

Discovery Timeline

  • 2026-06-23 - CVE-2026-0864 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-0864

Vulnerability Analysis

The configparser module serializes section keys and values using newline (\n) escaping. When writing a multi-line value, the writer replaces \n with \n\t so that continuation lines are recognized as part of the same value on re-read. The original logic only handled the line-feed character. Carriage returns (\r) and CRLF sequences (\r\n) were passed through unchanged. A parser that treats \r as a line terminator interprets text following a carriage return as a new key-value pair or section header. An attacker who controls the value passed to RawConfigParser.write() can therefore inject configuration directives that take effect on the next load.

Root Cause

The root cause is incomplete output neutralization in Lib/configparser.py. The writer escapes \n but does not normalize \r or \r\n to the same indented continuation form. Downstream readers that split on any line ending boundary then observe injected keys.

Attack Vector

The attack vector is local. An attacker must already supply data that an application stores via configparser.write() and reads back later. Examples include configuration management tools, web application settings persisted from form input, or test harnesses that serialize user-controlled fixtures. The injected content executes no code directly but can alter feature flags, file paths, credentials, or any other directive read from the resulting file.

python
# Patch from Lib/configparser.py (CPython GH-143927)
             value = self._interpolation.before_write(self, section_name, key,
                                                      value)
             if value is not None or not self._allow_no_value:
-                value = delimiter + str(value).replace('\n', '\n\t')
+                # Convert all possible line-endings into '\n\t'
+                value = (delimiter + str(value).replace('\r\n', '\n')
+                         .replace('\r', '\n').replace('\n', '\n\t'))
             else:
                 value = ""
             fp.write("{}{}\n".format(key, value))
# Source: https://github.com/python/cpython/commit/0adb386f6e68eb2e73d32e19f235d012df009528

The fix normalizes \r\n and bare \r to \n before applying the existing \n to \n\t indentation rule, ensuring all line terminators become continuation lines.

Detection Methods for CVE-2026-0864

Indicators of Compromise

  • Configuration files containing unexpected keys, sections, or values that were not set by legitimate code paths
  • INI files with inconsistent indentation patterns around values that originated from user input
  • Application logs showing configuration directives loaded from values that should not contain directives

Detection Strategies

  • Inventory uses of configparser.RawConfigParser.write(), ConfigParser.write(), and SafeConfigParser.write() across the codebase and flag any path that serializes externally sourced strings
  • Static analysis to identify call sites where untrusted input flows into set() or __setitem__() on a ConfigParser instance before a write() call
  • Hash or content-diff configuration files at known-good states and alert on unexpected key additions between writes

Monitoring Recommendations

  • Monitor filesystem changes to INI configuration files written by Python services and flag unexpected sections or keys
  • Audit Python runtime versions across hosts and tag systems running pre-patch CPython 3.14 or 3.15 builds
  • Capture command-line and process telemetry for Python interpreters that read configuration files immediately after modification by another process

How to Mitigate CVE-2026-0864

Immediate Actions Required

  • Upgrade CPython to a release containing the GH-143927 fix on the 3.14 or 3.15 branch
  • Strip or reject \r characters from any untrusted string before passing it to configparser setters
  • Treat configuration files written from user-supplied content as untrusted input on read and validate critical keys against an allowlist

Patch Information

The fix is applied in Lib/configparser.py and normalizes \r\n, \r, and \n to the indented continuation form \n\t. Reference commits: 3.15 update, main fix, 3.14 backport, and additional patch. See the CPython issue tracker, the pull request, and the Python security announcement.

Workarounds

  • Sanitize values before assignment with value = value.replace('\r\n', '\n').replace('\r', '\n') to mirror the upstream fix
  • Reject any input containing carriage return characters at the application boundary when those values are destined for INI serialization
  • Use a structured serialization format such as JSON or TOML for files that must hold user-controlled data
bash
# Verify the installed Python version includes the configparser fix
python3 -c "import configparser, io; c=configparser.ConfigParser(); c['s']={'k':'a\rinjected=1'}; b=io.StringIO(); c.write(b); print(b.getvalue())"
# Patched output indents the injected line with a tab; unpatched output emits 'injected=1' as a new key

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.