Tornado patches cookie attribute injection in set_cookie validation

1 min readPublished 03 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-35536 News Python Web Security

TL;DR — Tornado’s RequestHandler.set_cookie() failed to validate cookie attribute fields, enabling cookie attribute injection that can weaken application session/cookie security controls.

What happened

Tornado is a popular Python web framework and asynchronous networking library used to build web services and APIs.

CVE-2026-35536 reports that in Tornado versions prior to 6.5.5, the domain, path, and samesite arguments to RequestHandler.set_cookie were not checked for crafted characters. This allows cookie attribute injection (e.g., via delimiter characters) where an attacker can inject additional cookie attributes into the Set-Cookie header.

The CVE record lists a CVSS v3.1 base score of 7.2 (High), reflecting that cookie/header manipulation vulnerabilities can cross trust boundaries and quietly undermine authentication/session assumptions in downstream clients and intermediaries.

Who is impacted

Services using tornado with versions marked as affected in the CVE record: < 6.5.5.
Highest risk when untrusted or attacker-influenced data can reach RequestHandler.set_cookie() parameters domain, path, or samesite (directly or via config/tenant metadata).

Component	Affected versions (per CVE record)	Fixed version referenced by vendor advisory
`tornado`	`< 6.5.5`	`6.5.5`

What to do now

Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- "Patched versions: 6.5.5"
Inventory where tornado is deployed (services, containers, base images) and prioritize upgrades for internet-facing apps and auth-heavy services.
Audit calls to RequestHandler.set_cookie() and ensure domain, path, and samesite are not derived from untrusted input; use strict allowlists for any dynamic values.
If you rely on cookie attributes for security boundaries (e.g., Domain/Path scoping, SameSite), re-test authentication flows and cookie issuance after updating to confirm expected Set-Cookie formatting and attribute enforcement.

Additional Information

Vendor advisory: https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7
Release referenced in the CVE record: https://github.com/tornadoweb/tornado/releases/tag/v6.5.5

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.