Skip to main content

Tornado EUVDEUVD-2026-44503

| CVE-2026-49853 HIGH
Information Exposure (CWE-200)
2026-06-15 https://github.com/tornadoweb/tornado GHSA-3x9g-8vmp-wqvf PYSEC-2026-3387
7.7
CVSS 3.1 · Vendor: https://github.com/tornadoweb/tornado
Share

Severity by source

Vendor (https://github.com/tornadoweb/tornado) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable redirect handling, low complexity; PR:L reflects attacker control of an upstream/redirect target; scope changes as credentials cross origins; confidentiality-only impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (https://github.com/tornadoweb/tornado).

CVSS VectorVendor: https://github.com/tornadoweb/tornado

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 20:51 vuln.today
Analysis Generated
Jun 15, 2026 - 20:51 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on tornado (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.5.6.

DescriptionCVE.org

Summary

When SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and removes only the Host header. It does not clear Authorization, auth_username, auth_password, or auth_mode when the redirect target changes origin.

As a result, credentials intended for one origin can be forwarded to a different origin when follow_redirects=True, which is the default.

Beginning in Tornado 6.5.6, SimpleAsyncHTTPClient matches the default behavior of libcurl (and therefore CurlAsyncHTTPClient): When a redirect changes the scheme, host, or port of the url, the Authorization and Cookie headers will be removed when following the redirect.

AnalysisAI

Credential leakage in Tornado's SimpleAsyncHTTPClient (versions prior to 6.5.6) allows sensitive Authorization headers and HTTP auth parameters to be forwarded to attacker-controlled origins during 3xx redirect handling. Because follow_redirects=True is the default behavior, any Tornado-based client making outbound HTTP requests with credentials may inadvertently disclose them to a redirect target on a different scheme, host, or port. No public exploit identified at time of analysis, and this issue is not listed in CISA KEV.

Technical ContextAI

Tornado is a widely deployed Python asynchronous networking framework and web server, and SimpleAsyncHTTPClient is its built-in HTTP client used for outbound requests. The flaw stems from how the client's redirect handler shallow-copies the original HTTPRequest, rewrites the URL, decrements max_redirects, and strips only the Host header - leaving Authorization, auth_username, auth_password, and auth_mode intact across origin changes. This maps to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): credentials scoped to one origin cross a trust boundary into another. The fix in 6.5.6 aligns SimpleAsyncHTTPClient with libcurl's long-standing default behavior (also used by Tornado's CurlAsyncHTTPClient), stripping Authorization and Cookie headers whenever the redirect changes scheme, host, or port.

RemediationAI

Vendor-released patch: Tornado 6.5.6 - upgrade with pip install --upgrade tornado>=6.5.6, which makes SimpleAsyncHTTPClient strip Authorization and Cookie headers on cross-origin redirects, matching libcurl. If immediate upgrade is not possible, set follow_redirects=False on HTTPRequest objects that carry credentials and handle redirects manually so headers can be re-evaluated per hop (trade-off: callers must implement loop limits and redirect validation themselves); alternatively, switch to CurlAsyncHTTPClient, which already mirrors libcurl's safe redirect behavior (trade-off: adds a libcurl/pycurl dependency and slightly different feature surface). For services that proxy user-supplied URLs, additionally validate or allowlist redirect targets and avoid attaching long-lived bearer tokens to requests whose final destination is not pinned. Full advisory: https://github.com/tornadoweb/tornado/security/advisories/GHSA-3x9g-8vmp-wqvf.

Vendor StatusVendor

SUSE

Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-44503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy