CVE-2026-0672 is a vulnerability classified under CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers) affecting the Python Software Foundation's CPython implementation, specifically the http.cookies.Morsel class. This class is responsible for managing HTTP cookie data, including cookie names, values, and parameters. The vulnerability arises because the affected versions (up to 3.15.0a1) do not adequately sanitize or reject control characters (such as carriage return and line feed) within cookie data. An attacker who can control cookie values or parameters can inject malicious HTTP headers into server responses, leading to HTTP response splitting. This can facilitate attacks such as web cache poisoning, cross-site scripting (XSS), session fixation, and other injection-based exploits. The CVSS 4.0 score is 6.0 (medium severity), reflecting that the attack vector is network-based with low attack complexity, requiring privileges and no user interaction. The vulnerability affects all CPython versions from 0 up to 3.15.0a1, indicating a broad range of impacted Python environments. The Python Software Foundation has patched this issue by rejecting all control characters in cookie names, values, and parameters, effectively preventing header injection. No known exploits have been reported in the wild as of the publication date. This vulnerability is particularly relevant for web applications developed in Python that utilize the http.cookies module for cookie management, especially those that accept user-controlled cookie data without additional sanitization.

For European organizations, this vulnerability poses a moderate risk primarily to web applications developed using Python's CPython interpreter that handle HTTP cookies via the http.cookies.Morsel class. Exploitation could allow attackers to perform HTTP response splitting attacks, which can lead to web cache poisoning, enabling attackers to serve malicious content to users, or cross-site scripting, potentially compromising user sessions and data confidentiality. This can undermine the integrity and availability of web services, damage organizational reputation, and lead to regulatory compliance issues under GDPR if user data is compromised. Organizations running Python-based web services, especially those in finance, healthcare, and government sectors, where data sensitivity is high, are at increased risk. The requirement for some level of privilege (authentication) to exploit reduces the attack surface but does not eliminate it, as insider threats or compromised accounts could be leveraged. The absence of known exploits in the wild currently limits immediate risk but does not preclude future exploitation. Overall, the vulnerability could disrupt service reliability and user trust if exploited.

European organizations should immediately upgrade affected Python environments to versions beyond 3.15.0a1 where the patch rejecting control characters in cookie data is implemented. For legacy systems where upgrading is not immediately feasible, implement application-level input validation to sanitize and reject control characters in cookie names, values, and parameters before processing. Employ web application firewalls (WAFs) configured to detect and block HTTP response splitting and header injection attempts. Conduct thorough code reviews and security testing focusing on cookie handling logic in Python web applications. Educate developers on secure cookie management practices and the risks of improper input sanitization. Monitor logs for unusual HTTP header patterns or anomalies indicative of injection attempts. Additionally, enforce strict authentication and session management controls to reduce the risk posed by attackers with limited privileges. Finally, maintain an incident response plan to quickly address any exploitation attempts.