Skip to main content

CVE-2026-1502

| EUVDEUVD-2026-21519 MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-04-10 cna@python.org GHSA-hjxq-7w9q-2jw6
5.7
CVSS 4.0 · Vendor: python
Share

Severity by source

Vendor (python) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Red Hat
4.5 MEDIUM
qualitative

Primary rating from Vendor (python).

CVSS VectorVendor: python

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.15.0
EUVD ID Assigned
Apr 10, 2026 - 18:22 euvd
EUVD-2026-21519
Analysis Generated
Apr 10, 2026 - 18:22 vuln.today
CVE Published
Apr 10, 2026 - 18:16 nvd
MEDIUM 5.7

DescriptionCVE.org

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

AnalysisAI

Python's HTTP client fails to reject carriage return and line feed (CR/LF) bytes in proxy tunnel headers and host parameters, enabling HTTP response splitting and header injection attacks. Authenticated attackers with high privileges can craft malicious proxy configurations to inject arbitrary HTTP headers or split responses, potentially leading to cache poisoning, session hijacking, or information disclosure. No public exploit code or active exploitation has been identified.

Technical ContextAI

The vulnerability exists in Python's HTTP client library, which handles HTTP proxy tunnel connections via the CONNECT method. The HTTP specification (RFC 7230) explicitly prohibits CR/LF characters (0x0D 0x0A) in header field values to prevent header injection and response splitting attacks. The HTTP client's validation logic for proxy tunnel headers and the host parameter fails to reject these control characters before constructing the proxy request, allowing an attacker who controls proxy configuration parameters to inject newline sequences that break HTTP message framing. This is fundamentally a validation and sanitization failure in header construction rather than a cryptographic or authentication bypass.

RemediationAI

Upstream fix available via cpython commit 05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 and pull request #146212. Users should update to the next Python release containing this commit; the Python Security Advisory (available at https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/) specifies the affected versions and patched releases. As an interim workaround, restrict proxy configuration to trusted sources, validate proxy hostnames and ports programmatically to reject any containing CR/LF sequences, and avoid exposing proxy parameters to user input. Organizations should prioritize patching development environments and build systems where proxy configuration may be user-controlled.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-1502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy