CVE-2026-1502

MEDIUM

HTTP client proxy tunnel headers not validated for CR/LF

Title source: cna

Description

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

References (8)

Core 8

Core References

Patch patch

https://github.com/python/cpython/commit/9e071c9b28c17f347f81b388a003d4eeb3c7a8dd

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/c00c386faa579ad71196d33408644478488e43ec

View Patch ZIP pw:eip

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/11/4

Issue Tracking issue-tracking

https://github.com/python/cpython/issues/146211

Vendor Advisory vendor-advisory

https://mail.python.org/archives/list/[email protected]/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/

Patch patch

https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed

View Patch ZIP pw:eip

Patch patch

https://github.com/python/cpython/pull/146212

Scores

CVSS v4 5.7

EPSS 0.0047

EPSS Percentile 37.1%

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-93

Status published

Products (6)

Python Software Foundation/CPython < 3.13.14

Python Software Foundation/CPython < 3.14.5rc1

Python Software Foundation/CPython < 3.15.0

Python Software Foundation/CPython 3.14.0a1 - 3.14.5rc1

Python Software Foundation/CPython 3.15.0a1 - 3.15.0

Python Software Foundation/CPython 3.15.0a1 - 3.15.0b1

Published Apr 10, 2026

Tracked Since Apr 11, 2026