CVE-2020-26116

http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.

Published: Sep 27, 2020
Updated: Nov 16, 2025
CVE: CVE-2020-26116
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.2
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
python / python	3.0.0	3.5.10
python / python	3.8.0	3.8.5
python / python	3.7.0	3.7.9
python / python	3.6.0	3.6.12
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	12.04	12.04.x
debian / debian_linux	9.0	9.0.x
oracle / zfs_storage_appliance_kit	8.8	8.8.x
opensuse / leap	15.1	15.1.x

Vulnerability Database

311,377

CVE-2020-26116

Deep Security Visibility Without the Complexity