CVE-2026-0865: HTTP Header Injection XSS Vulnerability

CVE-2026-0865 Overview

CVE-2026-0865 is an HTTP Header Injection vulnerability affecting Python's wsgiref.headers.Headers module. User-controlled header names and values containing newlines can allow injecting HTTP headers, enabling attackers to manipulate HTTP responses and potentially conduct further attacks such as cache poisoning, session hijacking, or cross-site scripting through response splitting.

Critical Impact
Attackers with high privileges can inject arbitrary HTTP headers into responses by embedding newline characters in user-controlled header names or values, potentially compromising web application integrity.

Affected Products

Python CPython wsgiref.headers module (versions prior to security patches)
Applications using wsgiref for WSGI server implementations
Python web frameworks relying on wsgiref.headers.Headers for header manipulation

Discovery Timeline

2026-01-20 - CVE CVE-2026-0865 published to NVD
2026-01-20 - Last updated in NVD database

Technical Details for CVE-2026-0865

Vulnerability Analysis

This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly known as Injection. The flaw exists in Python's wsgiref.headers.Headers class, which failed to properly validate and sanitize control characters, particularly newline characters (\r\n), in HTTP header names and values.

HTTP header injection occurs when an attacker can insert newline characters into header fields. Since HTTP headers are delimited by CRLF (Carriage Return Line Feed) sequences, injecting these characters allows an attacker to terminate the current header and inject additional headers or even an entirely new HTTP response body. This technique is commonly referred to as HTTP Response Splitting.

The vulnerability requires network access and high privileges to exploit, with the primary impact being on the integrity of HTTP responses. While confidentiality and availability are not directly affected, the ability to inject arbitrary headers can lead to secondary attacks including cache poisoning, session fixation, and bypassing security headers.

Root Cause

The root cause of this vulnerability lies in insufficient input validation within the wsgiref.headers module. The module did not reject or sanitize control characters (ASCII characters 0x00-0x1F and 0x7F) when processing header names and values. This oversight allowed malicious input containing newline characters to pass through unchecked, enabling header injection attacks.

Attack Vector

The attack vector is network-based, requiring an attacker with elevated privileges to supply crafted input to an application that uses wsgiref.headers.Headers for HTTP header management. When the application constructs HTTP responses using user-supplied header names or values without proper sanitization, the attacker can inject newline characters to manipulate the response structure.

For example, an attacker could provide a header value containing \r\nX-Injected-Header: malicious-value which would result in an additional header being inserted into the HTTP response.

python

# Security patch in Lib/wsgiref/headers.py - Reject control characters
# Source: https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58

# existence of which force quoting of the parameter value.
import re
tspecials = re.compile(r'[ \(\)<>@,;:\\"/\[\]\?=]')
+_control_chars_re = re.compile(r'[\\x00-\\x1F\\x7F]')

def _formatparam(param, value=None, quote=1):
    """Convenience function to format and return a key=value pair.

The patch introduces a new regular expression _control_chars_re that matches any control character in the ASCII range 0x00-0x1F and 0x7F, which are then rejected to prevent header injection attacks.

Detection Methods for CVE-2026-0865

Indicators of Compromise

Unusual HTTP headers appearing in application logs that were not explicitly set by application code
Presence of control characters or encoded newline sequences (%0d%0a, \r\n) in HTTP header values within web server access logs
Reports of unexpected cache behavior or session anomalies that could indicate header injection exploitation

Detection Strategies

Implement web application firewall (WAF) rules to detect and block requests containing newline characters or their encoded equivalents in header values
Monitor application logs for attempts to inject control characters into HTTP headers using pattern matching for \r, \n, %0d, %0a sequences
Deploy runtime application self-protection (RASP) solutions to detect header manipulation attempts at the application layer

Monitoring Recommendations

Enable verbose logging for web server and WSGI application components to capture full header information for forensic analysis
Configure security information and event management (SIEM) systems to alert on patterns consistent with HTTP response splitting attacks
Regularly audit applications using wsgiref to ensure they are running patched Python versions

How to Mitigate CVE-2026-0865

Immediate Actions Required

Upgrade Python to a patched version that includes the wsgiref.headers security fix
Review application code that handles user-supplied input for HTTP header construction and implement additional server-side validation
Deploy WAF rules as a temporary mitigation while preparing for patching

Patch Information

Security patches have been released across multiple Python branches. The fix introduces validation that rejects control characters in header names and values before they can be processed. Patches are available in the following commits:

Additional technical details are available in the GitHub Issue Discussion, GitHub Pull Request, and the Python Security Announcement.

Workarounds

Implement application-level input validation to strip or reject control characters from any user input that may be used in HTTP headers
Use a wrapper function around wsgiref.headers.Headers that validates header names and values before passing them to the underlying class
Consider using alternative WSGI implementations that include built-in protection against header injection

python

# Example: Input validation for header values before using wsgiref.headers
import re

def sanitize_header_value(value):
    """Reject header values containing control characters."""
    control_chars_re = re.compile(r'[\\x00-\\x1F\\x7F]')
    if control_chars_re.search(value):
        raise ValueError("Header value contains invalid control characters")
    return value

CVE-2026-0865 Overview

Critical Impact
Attackers with high privileges can inject arbitrary HTTP headers into responses by embedding newline characters in user-controlled header names or values, potentially compromising web application integrity.

Affected Products

Python CPython wsgiref.headers module (versions prior to security patches)
Applications using wsgiref for WSGI server implementations
Python web frameworks relying on wsgiref.headers.Headers for header manipulation

Discovery Timeline

2026-01-20 - CVE CVE-2026-0865 published to NVD
2026-01-20 - Last updated in NVD database

Technical Details for CVE-2026-0865

Vulnerability Analysis

Root Cause

Attack Vector

For example, an attacker could provide a header value containing \r\nX-Injected-Header: malicious-value which would result in an additional header being inserted into the HTTP response.

python

# Security patch in Lib/wsgiref/headers.py - Reject control characters
# Source: https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58

# existence of which force quoting of the parameter value.
import re
tspecials = re.compile(r'[ \(\)<>@,;:\\"/\[\]\?=]')
+_control_chars_re = re.compile(r'[\\x00-\\x1F\\x7F]')

def _formatparam(param, value=None, quote=1):
    """Convenience function to format and return a key=value pair.

The patch introduces a new regular expression _control_chars_re that matches any control character in the ASCII range 0x00-0x1F and 0x7F, which are then rejected to prevent header injection attacks.

Detection Methods for CVE-2026-0865

Indicators of Compromise

Unusual HTTP headers appearing in application logs that were not explicitly set by application code
Presence of control characters or encoded newline sequences (%0d%0a, \r\n) in HTTP header values within web server access logs
Reports of unexpected cache behavior or session anomalies that could indicate header injection exploitation

Detection Strategies

Implement web application firewall (WAF) rules to detect and block requests containing newline characters or their encoded equivalents in header values
Monitor application logs for attempts to inject control characters into HTTP headers using pattern matching for \r, \n, %0d, %0a sequences
Deploy runtime application self-protection (RASP) solutions to detect header manipulation attempts at the application layer

Monitoring Recommendations

Enable verbose logging for web server and WSGI application components to capture full header information for forensic analysis
Configure security information and event management (SIEM) systems to alert on patterns consistent with HTTP response splitting attacks
Regularly audit applications using wsgiref to ensure they are running patched Python versions

How to Mitigate CVE-2026-0865

Immediate Actions Required

Upgrade Python to a patched version that includes the wsgiref.headers security fix
Review application code that handles user-supplied input for HTTP header construction and implement additional server-side validation
Deploy WAF rules as a temporary mitigation while preparing for patching

Patch Information

Additional technical details are available in the GitHub Issue Discussion, GitHub Pull Request, and the Python Security Announcement.

Workarounds

Implement application-level input validation to strip or reject control characters from any user input that may be used in HTTP headers
Use a wrapper function around wsgiref.headers.Headers that validates header names and values before passing them to the underlying class
Consider using alternative WSGI implementations that include built-in protection against header injection

python

# Example: Input validation for header values before using wsgiref.headers
import re

def sanitize_header_value(value):
    """Reject header values containing control characters."""
    control_chars_re = re.compile(r'[\\x00-\\x1F\\x7F]')
    if control_chars_re.search(value):
        raise ValueError("Header value contains invalid control characters")
    return value

CVE-2026-0865: HTTP Header Injection XSS Vulnerability

CVE-2026-0865 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-0865

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-0865

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-0865

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-0865: HTTP Header Injection XSS Vulnerability

CVE-2026-0865 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-0865

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-0865

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-0865

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform