CVE-2026-35536
Published: 03 April 2026
Summary
CVE-2026-35536 is a high-severity Improper Handling of Invalid Use of Special Elements (CWE-159) vulnerability in Tornadoweb Tornado. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-35536 is a cookie attribute injection vulnerability affecting the Tornado Python web framework in versions prior to 6.5.5. The issue arises because the domain, path, and samesite arguments passed to the .RequestHandler.set_cookie method are not validated for crafted characters, allowing attackers to inject malicious content into cookie attributes. This flaw is rated with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and is associated with CWE-159 (Improper Handling of Invalid Use of Special Elements).
Remote attackers can exploit this vulnerability without authentication or user interaction over the network with low complexity. By supplying specially crafted inputs to the affected set_cookie arguments, they can manipulate cookie attributes such as domain, path, or samesite, potentially overriding intended cookie behaviors. Successful exploitation enables limited confidentiality and integrity impacts, such as unauthorized access to low-sensitivity data or minor modifications to application state, with a change in scope due to cross-context influence.
The Tornado project addressed this vulnerability in version 6.5.5, as detailed in the release notes at https://github.com/tornadoweb/tornado/releases/tag/v6.5.5 and the security advisory at https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7. Security practitioners should upgrade to Tornado 6.5.5 or later to mitigate the issue, and review any custom cookie-handling code for similar validation gaps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18574
Vulnerability details
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote network-exploitable flaw in a public-facing Python web framework (Tornado) allowing unauthenticated cookie attribute injection without user interaction, directly corresponding to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs such as domain, path, and samesite arguments to set_cookie, preventing crafted character injection into cookie attributes.
Mandates identification, reporting, and correction of flaws like this cookie attribute injection vulnerability through upgrading Tornado to 6.5.5 or later.
Enables filtering of information outputs like generated cookie headers to sanitize or block malformed attributes resulting from injection.