CPython configparser – Configuration Injection via Carriage Return (CVE-2026-0864) | Uganda National Computer Emergency Response Team-National Cert

Scope: CPython, All Versions Prior to 3.15.0

Severity: Medium

A configuration injection vulnerability in the configparser module of CPython allows a local attacker with write privileges to inject unexpected keys and values into configuration files by abusing a failure to properly sanitize carriage return ( \r ) characters in multi-line text values. When an application or a victim user subsequently parses the altered file, the injected configurations can silently manipulate application behavior, bypass intended security controls, or facilitate unauthorized privilege escalation. Given Python's ubiquity in system administration scripts and application backends, compromised configurations present a hidden vector for internal policy subversion. Organizations must upgrade to CPython version 3.15.0 or later immediately; if an immediate upgrade is unfeasible, developers should avoid writing untrusted multi-line inputs using configparser.write() and implement strict input validation to strip or escape carriage return characters before file compilation.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the Python Security Announcement (CVE-2026-0864) and apply the necessary updates.

CPython configparser – Configuration Injection via Carriage Return (CVE-2026-0864)

n8n – Credential Vault Exfiltration via Endpoint Abuse (CVE-2026-56348)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

CPython configparser – Configuration Injection via Carriage Return (CVE-2026-0864)

RELATED ADVISORIES

n8n – Credential Vault Exfiltration via Endpoint Abuse (CVE-2026-56348)

Recent Advisories

Categories