CVE-2026-0865 is a vulnerability identified in the Python Software Foundation's CPython implementation, specifically involving improper neutralization of special elements in output used by downstream components, categorized under CWE-74 (Injection). The issue arises when user-controlled HTTP header names or values include newline characters, which are not properly sanitized or validated. This allows attackers to inject additional HTTP headers by breaking out of the intended header context, potentially manipulating how downstream components interpret HTTP requests or responses. The vulnerability affects CPython versions starting from 3.11.0 up to 3.15.0a1, including early alpha releases. The CVSS 4.0 score is 5.9 (medium severity), reflecting that the attack vector is network-based with low complexity, but requires privileges and authentication, and impacts confidentiality and integrity with high impact. No user interaction is needed, and the vulnerability does not affect availability. Although no public exploits have been reported, the flaw could be leveraged in scenarios where CPython is used to process HTTP headers, such as in web frameworks or HTTP servers written in Python. The lack of proper sanitization of newline characters in headers can lead to HTTP response splitting or header injection attacks, which may facilitate session fixation, cache poisoning, or cross-site scripting (XSS) in some contexts.

The primary impact of CVE-2026-0865 is the potential for HTTP header injection attacks, which can undermine the integrity and confidentiality of web communications. Attackers exploiting this vulnerability could inject malicious headers to manipulate client or server behavior, potentially leading to session hijacking, cache poisoning, or bypassing security controls like Content Security Policy (CSP). Organizations running web applications or services that rely on CPython for HTTP header processing are at risk, especially if they accept user input for headers without additional validation. The vulnerability could also facilitate further attacks such as cross-site scripting or redirecting users to malicious sites. Although exploitation requires authenticated access and high privileges, insider threats or compromised accounts could leverage this flaw to escalate attacks. The scope includes any environment using the affected CPython versions in HTTP handling, which is widespread given Python's popularity. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge.

To mitigate CVE-2026-0865, organizations should promptly upgrade to a CPython version where this vulnerability is patched once available. Until then, implement strict input validation and sanitization on all user-supplied HTTP header names and values to reject or escape newline and other control characters that could enable header injection. Employ web application firewalls (WAFs) with rules designed to detect and block HTTP header injection attempts. Review and harden any custom HTTP header processing code to ensure it does not trust user input blindly. Additionally, limit the privileges of accounts that can send or modify HTTP headers to reduce the risk of exploitation. Monitor logs for suspicious header anomalies indicative of injection attempts. For Python web frameworks or libraries built on CPython, verify that they have incorporated patches or mitigations against this vulnerability. Finally, conduct security testing focused on HTTP header injection to identify and remediate vulnerable endpoints.