CVE-2026-0672 is a vulnerability classified under CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers) affecting the Python Software Foundation's CPython implementation, specifically the http.cookies.Morsel class. This class is responsible for managing HTTP cookie data, including names, values, and parameters. The vulnerability arises because the Morsel class does not properly sanitize or reject control characters (such as carriage return and line feed) in cookie values and parameters. An attacker who can control cookie values can inject malicious HTTP headers by exploiting this flaw, leading to HTTP response splitting attacks. Such attacks can cause a variety of downstream issues including cache poisoning, cross-site scripting (XSS), session fixation, and other injection-based attacks that compromise the integrity and confidentiality of web communications. The CVSS 4.0 score is 6.0 (medium severity), reflecting that the attack vector is network-based with low attack complexity but requires privileges (authenticated user) and does not require user interaction. The vulnerability does not affect availability but impacts confidentiality and integrity at a high level. The patch involves rejecting all control characters in cookie names, values, and parameters, effectively neutralizing the injection vector. No known exploits are reported in the wild yet, but the vulnerability is publicly disclosed and should be addressed promptly. This vulnerability affects all versions of CPython prior to the patch and is critical for any Python-based web applications that handle HTTP cookies, especially those exposed to untrusted input.

For European organizations, this vulnerability poses a significant risk to web applications developed in Python that handle HTTP cookies, particularly those that rely on the http.cookies.Morsel class for cookie management. Exploitation can lead to HTTP response splitting, enabling attackers to poison caches, inject malicious scripts, or hijack sessions, thereby compromising user data confidentiality and application integrity. This can result in data breaches, loss of user trust, regulatory non-compliance (e.g., GDPR violations), and potential financial and reputational damage. Organizations in sectors such as finance, healthcare, government, and e-commerce, which often use Python for backend services, are especially vulnerable. The medium severity rating suggests that while exploitation is feasible, it requires some level of authentication, which may limit exposure but does not eliminate risk. The lack of user interaction needed means automated attacks could be launched once access is gained. The vulnerability could also be leveraged in multi-stage attacks targeting European critical infrastructure or sensitive data repositories.

European organizations should immediately update their Python environments to the latest patched CPython versions that reject control characters in cookie names, values, and parameters. If immediate patching is not feasible, implement strict input validation and sanitization on all cookie-related data, ensuring that control characters (CR, LF, and other non-printable characters) are filtered out or encoded before processing. Web application firewalls (WAFs) should be configured to detect and block HTTP response splitting attempts by monitoring for suspicious header injection patterns. Security teams should audit existing applications for use of http.cookies.Morsel and review cookie handling logic for unsafe practices. Additionally, conduct penetration testing focused on HTTP header injection vectors to identify exploitable instances. Logging and monitoring should be enhanced to detect anomalous HTTP responses that may indicate exploitation attempts. Finally, educate developers about secure cookie handling and the risks of improper input sanitization to prevent recurrence.