CVE-2026-0865 in CPython
Summary
by MITRE • 01/21/2026
User-controlled header names and values containing newlines can allow injecting HTTP headers.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/22/2026
This vulnerability represents a critical HTTP header injection flaw that arises from insufficient input validation in web applications processing user-supplied data. The vulnerability occurs when applications fail to properly sanitize header names and values that contain newline characters, creating opportunities for attackers to inject malicious headers into HTTP responses. The flaw is particularly dangerous because it allows adversaries to manipulate the HTTP protocol at the application layer, potentially enabling a wide range of malicious activities including session hijacking, cache poisoning, and cross-site scripting attacks. The vulnerability stems from improper handling of user-controllable input within HTTP header construction logic, where newline characters such as \r, \n, or \r\n are not adequately filtered or escaped before being incorporated into HTTP headers.
The technical implementation of this vulnerability typically involves applications that construct HTTP headers using user-provided data without proper sanitization of special characters. When newline characters are present in header names or values, they can be interpreted by HTTP parsers as delimiters between separate headers, allowing attackers to inject additional headers into the response. This behavior violates fundamental security principles of input validation and output encoding, as defined by CWE-117, which specifically addresses improper output neutralization for logs. The vulnerability operates at the application layer of the OSI model and can be exploited through various attack vectors including web forms, api endpoints, and parameter manipulation. According to ATT&CK framework, this vulnerability maps to T1190 - Proxy Execution and T1566 - Phishing, as it can enable attackers to redirect traffic or manipulate response headers to achieve unauthorized access or data exfiltration.
The operational impact of CVE-2026-0865 extends beyond simple header injection, potentially allowing attackers to manipulate browser behavior, hijack sessions, or poison application caches. Attackers can exploit this vulnerability to perform cache poisoning attacks by injecting cache-control headers that manipulate how responses are cached by intermediaries or browsers. The vulnerability also enables session manipulation attacks where attackers can inject Set-Cookie headers with malicious session tokens, effectively allowing unauthorized access to user accounts. Additionally, the flaw can facilitate cross-site scripting attacks by injecting script tags into response headers that are then executed by vulnerable web applications. The vulnerability affects any web application that processes user input to construct HTTP headers without proper validation, making it particularly prevalent in applications that handle user comments, form submissions, or api request parameters. Security controls such as web application firewalls and input validation mechanisms may not adequately protect against this vulnerability if they fail to detect or block newline characters in header construction contexts.
Mitigation strategies for this vulnerability require comprehensive input validation and output encoding practices that prevent newline characters from being processed within HTTP header contexts. Organizations should implement strict sanitization of all user-supplied data before it is used in header construction, particularly filtering or escaping characters such as \r, \n, and \r\n. The implementation of proper header validation functions that enforce strict header name and value formatting can prevent injection attempts. Additionally, security measures should include regular code reviews focusing on HTTP header construction patterns, automated scanning tools that detect vulnerable header injection patterns, and comprehensive testing procedures that validate header handling logic. Organizations should also consider implementing Content Security Policy headers and other security headers that can provide additional protection against the exploitation of header injection vulnerabilities. The remediation process should involve updating all web application frameworks and libraries to ensure proper handling of user input in HTTP contexts, as many modern frameworks have built-in protections against such vulnerabilities. Regular security training for development teams should emphasize proper input validation techniques and the importance of HTTP header security to prevent similar vulnerabilities from being introduced in future code implementations.