Cyber Resilience

CVE-2026-35536

High

Published: 03 April 2026

Published
03 April 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0002 5.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35536 is a high-severity Improper Handling of Invalid Use of Special Elements (CWE-159) vulnerability in Tornadoweb Tornado. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35536 is a cookie attribute injection vulnerability affecting the Tornado Python web framework in versions prior to 6.5.5. The issue arises because the domain, path, and samesite arguments passed to the .RequestHandler.set_cookie method are not validated for crafted characters, allowing attackers to inject malicious content into cookie attributes. This flaw is rated with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-159 (Improper Handling of Invalid Use of Special Elements).

Remote attackers can exploit this vulnerability without authentication or user interaction over the network with low complexity. By supplying specially crafted inputs to the affected set_cookie arguments, they can manipulate cookie attributes such as domain, path, or samesite, potentially overriding intended cookie behaviors. Successful exploitation enables limited confidentiality and integrity impacts, such as unauthorized access to low-sensitivity data or minor modifications to application state, with a change in scope due to cross-context influence.

The Tornado project addressed this vulnerability in version 6.5.5, as detailed in the release notes at https://github.com/tornadoweb/tornado/releases/tag/v6.5.5 and the security advisory at https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7. Security practitioners should upgrade to Tornado 6.5.5 or later to mitigate the issue, and review any custom cookie-handling code for similar validation gaps.

EU & UK References

Vulnerability details

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote network-exploitable flaw in a public-facing Python web framework (Tornado) allowing unauthenticated cookie attribute injection without user interaction, directly corresponding to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-31958Same product: Tornadoweb Tornado

Affected Assets

tornadoweb
tornado
≤ 6.5.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs such as domain, path, and samesite arguments to set_cookie, preventing crafted character injection into cookie attributes.

prevent

Mandates identification, reporting, and correction of flaws like this cookie attribute injection vulnerability through upgrading Tornado to 6.5.5 or later.

prevent

Enables filtering of information outputs like generated cookie headers to sanitize or block malformed attributes resulting from injection.

References