Platform
python
Component
tornado
Fixed in
6.5.5
6.5.5
CVE-2026-35536 describes a cookie attribute injection vulnerability discovered in Tornado versions prior to 6.5.5. This flaw allows attackers to inject crafted characters into cookie attributes like domain, path, and SameSite, potentially leading to session hijacking and unauthorized access. The vulnerability was publicly disclosed on April 3, 2026, and a patch is available in version 6.5.5.
The core of the vulnerability lies in the RequestHandler.set_cookie function, which lacks proper validation of the domain, path, and SameSite arguments. An attacker can craft malicious cookie values containing specially designed characters that bypass the intended security measures. Successful exploitation could allow an attacker to hijack user sessions, gain unauthorized access to sensitive data, and potentially escalate privileges within the application. This is particularly concerning in web applications that rely heavily on cookies for authentication and session management. The impact is amplified if the application handles sensitive user data or financial transactions.
CVE-2026-35536 was published on April 3, 2026. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released at the time of this writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of cookie injection vulnerabilities, it is reasonable to assume that attackers may develop PoCs and attempt to exploit this vulnerability in the future.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35536 is to upgrade to Tornado version 6.5.5 or later, which includes the necessary input validation fixes. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious characters in cookie attributes. Specifically, look for patterns involving unusual characters or sequences in the domain, path, and SameSite fields. Additionally, review your application's cookie handling logic to ensure that you are not inadvertently relying on untrusted input for cookie attribute values. After upgrading, confirm the fix by attempting to set a cookie with a crafted payload containing potentially malicious characters and verifying that the cookie is not set with the injected attributes.
Update to version 6.5.5 or later of Tornado. This version fixes the cookie attribute injection vulnerability by correctly validating the domain, path, and samesite arguments in .RequestHandler.set_cookie.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35536 is a HIGH severity vulnerability in Tornado versions up to 6.5b1 that allows attackers to inject malicious attributes into cookies due to insufficient input validation, potentially leading to session hijacking.
You are affected if you are using Tornado versions 6.5b1 or earlier. Upgrade to version 6.5.5 or later to mitigate the vulnerability.
Upgrade Tornado to version 6.5.5 or later. As a temporary workaround, implement a WAF rule to filter out malicious characters in cookie attributes.
There is currently no evidence of active exploitation, but it is recommended to apply the patch promptly to prevent potential future attacks.
Refer to the official Tornado project website and security advisories for the latest information and updates regarding CVE-2026-35536.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.