The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
PUBLISHED5.2
Incomplete control character validation in http.cookies
Affected products
Python Software Foundation
CPython
< 3.15.0 - AFFECTED
References
mail.python.org
https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/
github.com
https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4
github.com
https://github.com/python/cpython/issues/145599
github.com
https://github.com/python/cpython/pull/145600
github.com
https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd
github.com
https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd
GitHub Security Advisories
GHSA-vf33-88pf-hwp3
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was...
https://github.com/advisories/GHSA-vf33-88pf-hwp3The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-3644
github.com
https://github.com/python/cpython/issues/145599
github.com
https://github.com/python/cpython/pull/145600
github.com
https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4
github.com
https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd
github.com
https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd
mail.python.org
https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7
github.com
https://github.com/advisories/GHSA-vf33-88pf-hwp3
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-3644Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-3644",
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"dateUpdated": "2026-03-16T18:25:55.021Z",
"dateReserved": "2026-03-06T16:13:09.289Z",
"datePublished": "2026-03-16T17:37:31.344Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF",
"dateUpdated": "2026-03-16T17:45:23.093Z"
},
"title": "Incomplete control character validation in http.cookies",
"descriptions": [
{
"lang": "en",
"value": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output()."
}
]
}
],
"affected": [
{
"vendor": "Python Software Foundation",
"product": "CPython",
"modules": [
"http.cookies"
],
"repo": "https://github.com/python/cpython",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "python",
"lessThan": "3.15.0"
}
]
}
],
"references": [
{
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/H6CADMBCDRFGWCMOXWUIHFJNV43GABJ7/",
"tags": [
"vendor-advisory"
]
},
{
"url": "https://github.com/python/cpython/commit/57e88c1cf95e1481b94ae57abe1010469d47a6b4",
"tags": [
"patch"
]
},
{
"url": "https://github.com/python/cpython/issues/145599",
"tags": [
"issue-tracking"
]
},
{
"url": "https://github.com/python/cpython/pull/145600",
"tags": [
"patch"
]
},
{
"url": "https://github.com/python/cpython/commit/62ceb396fcbe69da1ded3702de586f4072b590dd",
"tags": [
"patch"
]
},
{
"url": "https://github.com/python/cpython/commit/d16ecc6c3626f0e2cc8f08c309c83934e8a979dd",
"tags": [
"patch"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Stan Ulbrych",
"type": "coordinator"
},
{
"lang": "en",
"value": "Stan Ulbrych",
"type": "remediation developer"
},
{
"lang": "en",
"value": "Victor Stinner",
"type": "remediation reviewer"
},
{
"lang": "en",
"value": "Seth Larson",
"type": "remediation reviewer"
},
{
"lang": "en",
"value": "Vyom Yadav",
"type": "reporter"
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-03-16T18:25:55.021Z"
},
"title": "CISA ADP Vulnrichment",
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-20 Improper Input Validation",
"cweId": "CWE-20",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"lang": "en",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"cweId": "CWE-116",
"type": "CWE"
}
]
}
],
"metrics": [
{}
]
}
]
}
}