Python http.client CRLF injection via proxy tunnel headers (before 3.15)
CVE-2026-1502 Published on April 10, 2026
HTTP client proxy tunnel headers not validated for CR/LF
CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
Weakness Type
What is a CRLF Injection Vulnerability?
The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CVE-2026-1502 has been classified to as a CRLF Injection vulnerability or weakness.
Products Associated with CVE-2026-1502
Want to know whenever a new CVE is published for Python? stack.watch will email you.
Affected Versions
Python Software Foundation CPython:- Before 3.14.5rc1 is affected.
- Version 3.15.0a1 and below 3.15.0b1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.