Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

CPython HTTP Client Proxy Tunnel Header Injection via CR/LF

IdentifiersCVE-2026-1502CWE-93· Improper Neutralization of CRLF…

CVE-2026-1502 is a medium-severity vulnerability in CPython's HTTP client proxy tunnel handling. The issue arises because CR/LF bytes were not rejected in proxy tunnel headers or host values. This improper input validation allows attacker-controlled carriage return and line feed characters to be introduced into HTTP header construction for proxy CONNECT/tunnel requests, creating an HTTP header injection condition. Based on the available information, the affected component is CPython's HTTP client proxy tunnel handling logic; specific vulnerable functions or exact version ranges are not provided in the supplied content.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation could allow header injection and potentially request smuggling-style manipulation in HTTP proxy tunnel requests. This may let an attacker alter request structure or inject unintended headers, undermining request integrity and potentially influencing downstream proxies, intermediaries, or target services that process the malformed tunneled request. The provided content does not establish arbitrary code execution or privilege escalation.

Mitigation

If you can’t patch tonight, do this now.

Until patched versions can be deployed, avoid passing untrusted input into HTTP client proxy tunnel header fields or host values, especially where proxy CONNECT behavior is used. Enforce strict sanitization or validation to reject carriage return and line feed characters in any user-influenced header or host input before it reaches CPython's HTTP client proxy tunnel handling. Restrict use of untrusted or attacker-influenced proxy configuration paths where possible.

Remediation

Patch, then assume compromise.

Apply the vendor-provided fix referenced by the CPython project and upgrade to a CPython release that rejects CR/LF bytes in HTTP client proxy tunnel headers and host values. Confirm affected and fixed versions using the official CVE record and the associated CPython pull request 146212 referenced in the advisory.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
PythonCpythonapplication
PythonPythonapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

11 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

11 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-1502
NVD
nvd.nist.gov/vuln/detail/CVE-2026-1502
MITRE CWE · CWE-93
Improper Neutralization of CRLF Sequences…
openwall.com
openwall.com/lists/oss-security/2026/04/11/4
github.com
github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69
github.com
github.com/python/cpython/commit/9e071c9b28c17f347f81b388a003d4eeb3c7a8dd
github.com
github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed
github.com
github.com/python/cpython/commit/c00c386faa579ad71196d33408644478488e43ec
github.com
github.com/python/cpython/issues/146211
github.com
github.com/python/cpython/pull/146212
mail.python.org
mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3