oss-sec mailing list archives

CPython [CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 10 Apr 2026 18:46:29 -0700




-------- Forwarded Message --------

Subject: [Security-announce][CVE-2026-1502] HTTP client proxy tunnel headersnot validated for CR/LF

Date:   Fri, 10 Apr 2026 17:51:54 +0000
From:   Seth Larson <seth () python org>
Reply-To:       security-sig () python org
To:     security-announce () python org

There is a MEDIUM severity vulnerability affecting CPython.

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

Please see the linked CVE ID for the latest information on affected versions:

* https://www.cve.org/CVERecord?id=CVE-2026-1502
* https://github.com/python/cpython/pull/146212

Current thread:

CPython [CVE-2026-1502] HTTP client proxy tunnel headers not validated for CR/LF Alan Coopersmith (Apr 10)