CVE-2020-26116: CRLF Injection

Published Feb 10, 2020
·
Updated

A flaw was found in Python. The built-in modules httplib and http.client (included in Python 2 and Python 3, respectively) do not properly validate CRLF sequences in the HTTP request method, potentially allowing manipulation to the request by injecting additional HTTP headers. The highest threat from this vulnerability is to confidentiality and integrity.

Other sources

A security issue was found in Python. Built-in modules httplib/http.client do not properly validate CRLF sequences in the HTTP request method, potentially allowing to manipulate the request by injecting additional HTTP headers.

Vulnerable modules: httplib (Python 2) http.client (Python 3)

References: https://python-security.readthedocs.io/vuln/http-header-injection-method.html https://bugs.python.org/issue39603

Upstream patch PR (merged upstream): https://github.com/python/cpython/pull/18485

Upstream commits: https://github.com/python/cpython/commit/8ca8a2e8fb068863c1138f07e3098478ef8be12e [master] https://github.com/python/cpython/commit/668d321476d974c4f51476b33aaca870272523bf [python-3.8.5] https://github.com/python/cpython/commit/ca75fec1ed358f7324272608ca952b2d8226d11a [python-3.7.9] https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae [python-3.6.12] https://github.com/python/cpython/commit/524b8de630036a29ca340bc2ae6fd6dc7dda8f40 [python-3.5.10]

Red Hat

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Python is vulnerable to CRLF injection, caused by improper validation of user-supplied input in http.client. By inserting CR and LF control characters in the first argument of HTTPConnection.request, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

IBM

Affected Software

39 affected componentsFixes available
redhat/python<0:2.7.5-92.el7_9
0:2.7.5-92.el7_9
redhat/python3<0:3.6.8-37.el8
0:3.6.8-37.el8
redhat/python3<0:3.6.8-24.el8_2
0:3.6.8-24.el8_2
redhat/rh-python36-python<0:3.6.12-1.el6
0:3.6.12-1.el6
redhat/rh-python36-python-pip<0:9.0.1-5.el6
0:9.0.1-5.el6
redhat/rh-python36-python-virtualenv<0:15.1.0-3.el6
0:15.1.0-3.el6
redhat/python27-python<0:2.7.18-2.el7
0:2.7.18-2.el7
redhat/python27-python-pip<0:8.1.2-6.el7
0:8.1.2-6.el7
redhat/python27-python-virtualenv<0:13.1.0-4.el7
0:13.1.0-4.el7
redhat/rh-python36-python<0:3.6.12-1.el7
0:3.6.12-1.el7
redhat/rh-python36-python-pip<0:9.0.1-5.el7
0:9.0.1-5.el7
redhat/rh-python36-python-virtualenv<0:15.1.0-3.el7
0:15.1.0-3.el7
redhat/rh-python38-python<0:3.8.6-1.el7
0:3.8.6-1.el7
redhat/rh-python38-python-psutil<0:5.6.4-5.el7
0:5.6.4-5.el7
redhat/rh-python38-python-urllib3<0:1.25.7-6.el7
0:1.25.7-6.el7
redhat/python<3.8.5
3.8.5
redhat/python<3.7.9
3.7.9
redhat/python<3.6.12
3.6.12
redhat/python<3.5.10
3.5.10
Python Python>=3.0.0<3.5.10
Python Python>=3.6.0<3.6.12
Python Python>=3.7.0<3.7.9
Python Python>=3.8.0<3.8.5
Fedoraproject Fedora=31
Fedoraproject Fedora=32
Fedoraproject Fedora=33
Canonical Ubuntu Linux=12.04
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
NetApp Solidfire
NetApp Hci Compute Node
NetApp Hci Storage Node
Debian Debian Linux=9.0
Oracle ZFS Storage Appliance Kit=8.8
openSUSE Leap=15.1
debian/pypy3
7.3.5+dfsg-2+deb11u27.3.5+dfsg-2+deb11u47.3.11+dfsg-2+deb12u37.3.19+dfsg-1
debian/python2.7<=2.7.18-8+deb11u1
debian/python3.9
3.9.2-13.9.2-1+deb11u3

Remediation

Patch Available

https://bugs.python.org/issue39603

Patch Available

https://python-security.readthedocs.io/vuln/http-header-injection-method.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Event History

Feb 10, 2020
CVE Published
12:00 AM
Sep 27, 2020
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Jan 11, 2024
Data Sourced
via Launchpad·11:47 PM
Description
Aug 3, 2024
Data Sourced
via IBM·10:19 PM
DescriptionSeverityAffected Software
Sep 16, 2024
Data Sourced
via Ubuntu·02:26 AM
RemedyDescriptionSeverityAffected Software
Mar 27, 2025
Data Sourced
via Debian·04:16 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2020-26116?

CVE-2020-26116 is a vulnerability in Python that allows for CRLF injection through improper validation of user-supplied input in http.client.

2

How does CVE-2020-26116 affect Python?

CVE-2020-26116 affects Python versions 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5.

3

How does CVE-2020-26116 work?

By inserting CR and LF control characters in the first argument of HTTPConnection.request, a remote attacker could exploit CVE-2020-26116 to conduct various attacks against the vulnerable Python application.

4

What is the severity of CVE-2020-26116?

CVE-2020-26116 has a severity rating of 7.2 (high).

5

How can I mitigate CVE-2020-26116?

To mitigate CVE-2020-26116, it is recommended to upgrade to Python versions 3.5.10, 3.6.12, 3.7.9, or 3.8.5, depending on your current Python version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203