CVE-2026-35536 is a vulnerability identified in the Tornado web framework before version 6.5.5. The issue arises from improper handling of invalid input in the set_cookie method of Tornado's RequestHandler class. Specifically, the domain, path, and samesite arguments passed to set_cookie are not properly validated or sanitized for crafted characters that could be used to inject malicious cookie attributes. This vulnerability is classified under CWE-159 (Improper Handling of Invalid Use of Special Elements), indicating that the software does not correctly handle special characters or malformed input in cookie attributes. Exploiting this flaw allows an attacker to perform cookie attribute injection, potentially altering cookie scope or behavior, which can lead to session fixation, cross-site scripting (XSS), or other session-related attacks. The CVSS v3.1 score is 7.2 (high), reflecting that the vulnerability can be exploited remotely over the network without authentication or user interaction, and it affects confidentiality and integrity with a scope change. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to applications relying on Tornado for web services. The lack of input validation on cookie parameters means attackers can craft malicious cookies that may bypass security controls or manipulate user sessions.

The impact of CVE-2026-35536 is primarily on the confidentiality and integrity of web sessions managed by Tornado-based applications. By injecting crafted cookie attributes, attackers can manipulate cookie scope, potentially enabling session fixation or hijacking attacks. This can lead to unauthorized access to user accounts or sensitive data. Additionally, altered cookie attributes might facilitate cross-site scripting or cross-site request forgery attacks by influencing browser cookie handling. Since the vulnerability can be exploited remotely without authentication or user interaction, it poses a significant risk to any publicly accessible Tornado web service. Organizations relying on Tornado for critical web applications could face data breaches, loss of user trust, and regulatory compliance issues if exploited. The absence of known exploits in the wild currently limits immediate impact, but the vulnerability's nature and ease of exploitation make it a high priority for remediation.

To mitigate CVE-2026-35536, organizations should upgrade Tornado to version 6.5.5 or later where this vulnerability is fixed. Until upgrading is possible, developers should implement strict input validation and sanitization on all cookie attribute parameters (domain, path, samesite) before passing them to set_cookie. This includes rejecting or encoding special characters that could be used for injection. Additionally, applying web application firewalls (WAFs) with rules to detect and block suspicious cookie attributes can provide a temporary defense. Security teams should audit existing applications for improper cookie handling and monitor logs for unusual cookie-related activity. Educating developers on secure cookie management practices and regularly reviewing third-party dependencies for updates will reduce future risks. Finally, organizations should test their applications against cookie injection scenarios to ensure resilience.