CVE-2026-0672 is a vulnerability classified under CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers) affecting the Python Software Foundation's CPython implementation, specifically within the http.cookies.Morsel class. This class is responsible for handling cookie data in HTTP headers. The vulnerability arises because user-controlled cookie values and parameters can include control characters (such as carriage return and line feed), which are not properly sanitized or rejected in affected versions. This flaw enables an attacker to inject arbitrary HTTP headers into server responses, leading to HTTP response splitting attacks. Such attacks can facilitate cache poisoning, cross-site scripting (XSS), session fixation, or other malicious manipulations of HTTP responses. The vulnerability impacts CPython versions 3.11.0 through 3.15.0a1, including early alpha releases. The CVSS 4.0 base score is 6.0 (medium severity), reflecting network attack vector, low attack complexity, partial privileges required, no user interaction, and high impact on integrity and availability. The Python Software Foundation has mitigated this vulnerability by implementing input validation that rejects all control characters within cookie names, values, and parameters, effectively preventing header injection. No public exploits have been reported to date, but the vulnerability poses a significant risk to web applications relying on vulnerable CPython versions for HTTP cookie handling.

The primary impact of CVE-2026-0672 is the potential for HTTP response splitting attacks, which can undermine the confidentiality, integrity, and availability of web applications. Attackers can manipulate HTTP headers to poison caches, redirect users to malicious sites, or execute cross-site scripting attacks, leading to session hijacking or data theft. This can degrade user trust and cause reputational damage. Organizations running web services or applications that utilize CPython's http.cookies.Morsel for cookie management are at risk, especially if they process untrusted input in cookies. The vulnerability could be exploited remotely over the network with relatively low complexity, requiring only partial privileges, making it accessible to a broad range of attackers. While no known exploits exist currently, the widespread use of Python in web development means that many organizations worldwide could be affected if patches are not applied. The impact is particularly critical for services handling sensitive user data or financial transactions.

Organizations should immediately upgrade to patched CPython versions where control characters in cookie names, values, and parameters are rejected. If upgrading is not immediately feasible, implement strict input validation and sanitization on all cookie data before it reaches the http.cookies.Morsel class. Web application firewalls (WAFs) can be configured to detect and block HTTP requests containing suspicious control characters in cookies. Developers should audit their codebases for direct or indirect use of http.cookies.Morsel and ensure no untrusted input is passed without validation. Additionally, monitoring HTTP response headers for anomalies can help detect attempted exploitation. Security teams should maintain awareness of updates from the Python Software Foundation and apply security patches promptly. Finally, conduct penetration testing focused on HTTP header injection to verify the effectiveness of mitigations.