CVE-2026-3644 Overview
CVE-2026-3644 is an input validation bypass vulnerability in Python's http.cookies module that represents an incomplete fix for the previously addressed CVE-2026-0672. The original patch intended to reject control characters in http.cookies.Morsel objects, but several code paths were inadvertently left unpatched, allowing attackers to bypass the input validation controls.
The vulnerability affects the Morsel.update() method, the |= operator implementation, and object unpickling paths. Additionally, the BaseCookie.js_output() method lacked the output validation that had been applied to BaseCookie.output(), creating an inconsistent security posture within the cookie handling module.
Critical Impact
Attackers can inject control characters into HTTP cookies through unpatched code paths, potentially enabling HTTP response splitting, session manipulation, or cross-site scripting attacks in web applications using Python's cookie handling.
Affected Products
- Python CPython (versions prior to security patches)
- Applications using Python's http.cookies module
- Web frameworks relying on Python's native cookie handling
Discovery Timeline
- 2026-03-16 - CVE CVE-2026-3644 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-3644
Vulnerability Analysis
This vulnerability falls under CWE-20 (Improper Input Validation) and stems from an incomplete security patch. When CVE-2026-0672 was addressed, the fix focused on validating control characters in certain code paths but failed to account for alternative methods that modify Morsel objects.
The Morsel class in Python's http.cookies module represents individual cookie attributes. While the initial fix added validation to prevent control characters from being set directly, the update() method, Python's |= augmented assignment operator, and the unpickling mechanism for serialized Morsel objects were overlooked.
Control characters in cookies can be weaponized for HTTP response splitting attacks, where injected newline characters (\r\n) allow attackers to terminate HTTP headers prematurely and inject arbitrary content. This can lead to cache poisoning, session hijacking, or cross-site scripting depending on the application context.
Root Cause
The root cause is incomplete patch coverage in the original CVE-2026-0672 fix. The _has_control_character() validation function existed but was not invoked consistently across all entry points that modify cookie attributes. Specifically:
- The Morsel.update() method directly updated the internal dictionary without validation
- The __ior__ method (implementing |=) was entirely missing, falling back to default behavior
- The BaseCookie.js_output() method generated JavaScript output without the same sanitization applied to output()
Attack Vector
The attack vector is network-based, requiring authenticated access. An attacker with the ability to influence cookie values through application inputs can inject control characters via the unpatched methods. This could occur through:
- Form submissions that populate cookie attributes
- API endpoints that accept cookie configuration
- Deserialization of attacker-controlled pickled Morsel objects
# Security patch in Lib/http/cookies.py
# Source: https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4
key = key.lower()
if key not in self._reserved:
raise CookieError("Invalid attribute %r" % (key,))
+ if _has_control_character(key, val):
+ raise CookieError("Control characters are not allowed in "
+ f"cookies {key!r} {val!r}")
data[key] = val
dict.update(self, data)
+ def __ior__(self, values):
+ self.update(values)
+ return self
+
def isReservedKey(self, K):
return K.lower() in self._reserved
Source: GitHub CPython Commit
Detection Methods for CVE-2026-3644
Indicators of Compromise
- HTTP cookies containing unexpected control characters (ASCII 0x00-0x1F, 0x7F)
- Anomalous Set-Cookie headers with embedded newlines or carriage returns
- Application logs showing CookieError exceptions after patching
- Evidence of HTTP response splitting in web server access logs
Detection Strategies
- Monitor application logs for unusual cookie parsing errors or exceptions in http.cookies module
- Implement web application firewall (WAF) rules to detect control characters in cookie values
- Review code for usage of Morsel.update(), |= operator on cookie objects, or unpickling of cookie data
- Audit inbound requests for cookie values containing non-printable characters
Monitoring Recommendations
- Enable verbose logging for Python's http.cookies module in production environments
- Configure SentinelOne to monitor for process behavior anomalies in Python web applications
- Establish baseline cookie patterns and alert on deviations that may indicate injection attempts
- Monitor for HTTP response anomalies that could indicate successful response splitting
How to Mitigate CVE-2026-3644
Immediate Actions Required
- Update Python to the latest patched version addressing CVE-2026-3644
- Review application code for usage of Morsel.update(), |= operator, or cookie unpickling
- Implement input validation at the application layer before passing data to cookie methods
- Consider using third-party cookie libraries with robust validation until patches are applied
Patch Information
The Python development team has released security patches across multiple Python branches. The fix adds _has_control_character() validation to the Morsel.update() method and implements a proper __ior__ method that routes through the validated update() path.
Patches are available for Python 3.13 and 3.14 branches:
For additional details, refer to the Python Security Announcement and GitHub Issue #145599.
Workarounds
- Implement application-level validation to reject control characters before any cookie operations
- Avoid using Morsel.update() or |= operators; set cookie attributes individually using validated setters
- Do not unpickle Morsel or BaseCookie objects from untrusted sources
- Use BaseCookie.output() instead of js_output() where possible, as it has proper validation
# Workaround: Validate cookie values before using update()
import re
def validate_cookie_value(value):
"""Reject control characters in cookie values."""
if re.search(r'[\\x00-\\x1f\\x7f]', str(value)):
raise ValueError("Control characters not allowed in cookie values")
return value
# Apply validation before any Morsel operations
for key, val in user_input.items():
validate_cookie_value(key)
validate_cookie_value(val)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
