PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3644 Python Software Foundation CVE debrief

CVE-2026-3644 is a vulnerability in Python's http.cookies module. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. Specifically, the Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output(). This vulnerability has a CVSS score of 6 and a severity of MEDIUM.

Vendor
Python Software Foundation
Product
CPython
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-16
Original CVE updated
2026-06-04
Advisory published
2026-03-16
Advisory updated
2026-06-04

Who should care

Users of Python versions prior to 3.13.13, 3.14.4, and 3.15.0 (final) should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability exists in the http.cookies module of Python. The incomplete fix for CVE-2026-0672 did not properly address control character validation in Morsel.update(), the |= operator, and unpickling paths. Furthermore, BaseCookie.js_output() did not apply the same output validation as BaseCookie.output().

Defensive priority

MEDIUM

Recommended defensive actions

  • Upgrade to Python version 3.13.13, 3.14.4, or 3.15.0 (final) or later.
  • Apply patches from [ref-4], [ref-5], and [ref-6].
  • Refer to [ref-9] for additional information.

Evidence notes

Evidence from [source-item] and [nvd] confirms the details of this vulnerability.

Official resources

CVE-2026-3644 was published on [cvePublishedAt].