{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35536", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T02:25:57.035Z", "datePublished": "2026-04-03T02:25:57.427Z", "dateUpdated": "2026-04-03T13:12:16.105Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Tornado", "vendor": "tornadoweb", "versions": [{"lessThan": "6.5.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-159", "description": "CWE-159 Improper Handling of Invalid Use of Special Elements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T02:25:57.427Z"}, "references": [{"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"}, {"url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:12:08.835726Z", "id": "CVE-2026-35536", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:12:16.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35536", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:12:08.835726Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:12:12.583Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "tornadoweb", "product": "Tornado", "versions": [{"status": "affected", "version": "0", "lessThan": "6.5.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"}, {"url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-159", "description": "CWE-159 Improper Handling of Invalid Use of Special Elements"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T02:25:57.427Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35536", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:12:16.105Z", "dateReserved": "2026-04-03T02:25:57.035Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-03T02:25:57.427Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters."}], "id": "CVE-2026-35536", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-03T04:16:53.550", "references": [{"source": "cve@mitre.org", "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"}, {"source": "cve@mitre.org", "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-159"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments", "id": "2454716", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454716"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-88", "details": ["A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the `domain`, `path`, and `samesite` arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or manipulation of client-side data."], "name": "CVE-2026-35536", "package_state": [{"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/bitwarden-sdk-server-1-0", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/external-secrets-1-0", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/external-secrets-operator-1-0", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/external-secrets-operator-bundle-1-0", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:lightspeed_core", "fix_state": "Not affected", "package_name": "redhat-user-workloads/lightspeed-stack", "product_name": "Lightspeed Core"}, {"cpe": "cpe:/a:redhat:lightspeed_core", "fix_state": "Not affected", "package_name": "redhat-user-workloads/rag-tool", "product_name": "Lightspeed Core"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "redhat-user-workloads/art-images", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-ocp-rag", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/bootc-cuda-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/bootc-cuda-disk-image-container-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/bootc-rocm-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "tornado", "product_name": "Red Hat Hardened Images 1"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "redhat-user-workloads/llama-stack-cpu", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "python-pep517", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-03T02:25:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35536\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35536\nhttps://github.com/tornadoweb/tornado/releases/tag/v6.5.5\nhttps://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.5.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tornado", "source": "cna", "vendor": "tornadoweb"}, "product": "tornado", "vendor": "tornadoweb"}], "analysis": {"en": {"generated_at": "2026-04-03T06:20:56.271122+00:00", "value": {"mitigation_remediation": ["Upgrade Tornado to version 6.5.5 or later immediately"], "summary": {"action": "Patch immediately", "impact": "Cookie attribute injection that may allow an attacker to manipulate domain, path, or SameSite settings, potentially compromising session integrity"}, "threat_synthesis": {"affected_systems": "All versions of Tornado older than 6.5.5 are affected. The vulnerability exists in the Tornado web framework itself, where the set_cookie method does not sanitize input for cookie attributes. Users deploying Tornado 6.5.5 or newer are not vulnerable.", "description_and_impact": "The vulnerability allows an attacker to inject arbitrary cookie attributes when the set_cookie method of Tornado\u2019s RequestHandler receives unvalidated domain, path, or samesite values. This can enable manipulation of session cookies, facilitating session fixation, cookie hijacking, or cross\u2011site request forgery by setting attributes that change how browsers handle the cookie. The weakness corresponds to CWE\u2011159, which involves unexpected or unsafe handling of input data. The impact is limited to the integrity and confidentiality of user sessions, as the attacker can influence cookie behavior without executing arbitrary code.", "risk_and_exploitability": "With a CVSS score of 7.2, the issue is classified as high severity. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack path is inferred to be remote, via crafted HTTP requests that invoke the set_cookie method. Although there is no direct code execution, the ability to alter cookie characteristics poses a significant risk to session management and may be leveraged in broader attacks such as session fixation or CSRF. Institutions should treat this as a high\u2011priority security concern."}}}}, "created": "2026-04-03T07:31:11.732804+00:00", "title": "Cookie Attribute Injection in Tornado\u2019s set_cookie", "updated": "2026-04-03T09:15:59.334553+00:00", "vendors": ["tornadoweb", "tornadoweb$PRODUCT$tornado"]}