CVE-2026-0672

Description

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

How to fix CVE-2026-0672

To remediate CVE-2026-0672, upgrade the affected package to a fixed version below.

• Bitnami/libpython—upgrade to 3.10.20 or later
• Bitnami/python—upgrade to 3.10.20 or later
• Bitnami/python-min—upgrade to 3.10.20 or later
• —no fix listed
• —upgrade to 3.11.2-6+deb12u7 or later
• —upgrade to 3.13.5-2+deb13u1 or later
• —upgrade to 3.14.3-1 or later
• —upgrade to 3.9.2-1+deb11u7 or later

Is CVE-2026-0672 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
• from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
• from 0, < 3.10.20, >= 3.11.0, < 3.11.15, >= 3.12.0, < 3.12.13, >= 3.13.0, < 3.13.12, >= 3.14.0, < 3.14.3
• from 0
• from 0, < 3.11.2-6+deb12u7
• from 0, < 3.13.5-2+deb13u1
• from 0, < 3.14.3-1
• from 0, < 3.9.2-1+deb11u7

CVSS scores

References (11)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-0672
• WEBgithub.com/python/cpython/commit/62700107418eb2cca3fc88da036a243ea975f172
• WEBgithub.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440
• WEBgithub.com/python/cpython/commit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d