CVE-2026-35536 Overview
A cookie attribute injection vulnerability exists in Tornado web framework versions prior to 6.5.5. The flaw stems from insufficient validation of the domain, path, and samesite arguments passed to the .RequestHandler.set_cookie method. An attacker could craft malicious characters in these parameters to inject arbitrary cookie attributes, potentially leading to security control bypasses.
Critical Impact
Attackers can inject arbitrary cookie attributes to manipulate session handling, bypass security restrictions, or conduct cross-site attacks by exploiting the improper validation in Tornado's cookie handling mechanism.
Affected Products
- Tornado versions before 6.5.5
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-35536 published to NVD
- 2026-04-03 - Last updated in NVD database
Technical Details for CVE-2026-35536
Vulnerability Analysis
This vulnerability falls under CWE-159 (Improper Handling of Invalid Use of Special Elements), which occurs when software does not properly handle unexpected or malformed input containing special characters. In the context of Tornado's cookie handling, the set_cookie method accepts user-controllable parameters for domain, path, and samesite attributes without adequate sanitization.
Cookie attribute injection can have serious security implications. When applications allow untrusted input to influence cookie attributes, attackers may be able to override security-relevant cookie properties such as the Secure, HttpOnly, or SameSite flags. This could enable session fixation attacks, cross-site request forgery (CSRF), or information disclosure depending on the application's security model.
The network-accessible nature of this vulnerability means that remote attackers can potentially exploit it without requiring authentication or user interaction, making it a significant concern for web applications built on vulnerable Tornado versions.
Root Cause
The root cause is improper input validation in the RequestHandler.set_cookie method. The domain, path, and samesite parameters are not validated for crafted or special characters before being included in the Set-Cookie HTTP response header. This allows an attacker to inject additional cookie attributes or terminate the current attribute and start new ones by including delimiter characters such as semicolons or newlines.
Attack Vector
The attack vector is network-based, allowing remote exploitation. An attacker who can control or influence the values passed to set_cookie parameters (typically through application logic flaws or reflected input) can inject malicious cookie attribute values. For example, by injecting a semicolon followed by additional attributes, an attacker could override security flags or set cookies for broader domains than intended.
The vulnerability can be exploited when application code passes unsanitized user input to the domain, path, or samesite parameters of the set_cookie method. Successful exploitation could allow an attacker to manipulate cookie scope, disable security flags, or perform session manipulation attacks.
For detailed technical information about the exploitation mechanism and affected code paths, refer to the GitHub Security Advisory GHSA-78cv-mqj4-43f7.
Detection Methods for CVE-2026-35536
Indicators of Compromise
- Unusual Set-Cookie headers containing multiple semicolon-separated attributes or unexpected values in server responses
- Log entries showing malformed or suspicious values in cookie-related request parameters
- Evidence of session manipulation or unexpected cookie behavior reported by users or monitoring systems
Detection Strategies
- Review web server access logs for requests containing special characters (;, \r, \n) in parameters that may influence cookie attributes
- Implement web application firewall (WAF) rules to detect and block injection patterns in cookie-related inputs
- Conduct code review to identify instances where user-controllable input flows into set_cookie calls without validation
Monitoring Recommendations
- Enable detailed logging for Tornado application handlers, particularly around authentication and session management
- Monitor for anomalous patterns in cookie header lengths or structure in HTTP responses
- Set up alerts for any unexpected changes in cookie security attributes across application endpoints
How to Mitigate CVE-2026-35536
Immediate Actions Required
- Upgrade Tornado to version 6.5.5 or later immediately to address the vulnerability
- Audit application code for any instances where user input is passed to set_cookie method parameters
- Implement input validation to sanitize domain, path, and samesite values before use in cookie operations
Patch Information
The vulnerability has been addressed in Tornado version 6.5.5. The fix implements proper validation and sanitization of the domain, path, and samesite arguments in the set_cookie method to prevent injection of crafted characters.
For patch details and upgrade instructions, see the GitHub Tornado Release Note.
Workarounds
- If immediate upgrade is not possible, implement application-level input validation to reject or sanitize special characters in cookie attribute values before passing them to set_cookie
- Use allowlist validation for domain and path parameters to ensure only expected values are accepted
- Consider implementing a wrapper function for set_cookie that enforces strict validation until the framework can be upgraded
# Upgrade Tornado to patched version
pip install --upgrade tornado>=6.5.5
# Verify installed version
pip show tornado | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
