{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35536", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T02:25:57.035Z", "datePublished": "2026-04-03T02:25:57.427Z", "dateUpdated": "2026-04-03T13:12:16.105Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Tornado", "vendor": "tornadoweb", "versions": [{"lessThan": "6.5.5", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-159", "description": "CWE-159 Improper Handling of Invalid Use of Special Elements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T02:25:57.427Z"}, "references": [{"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"}, {"url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:12:08.835726Z", "id": "CVE-2026-35536", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:12:16.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35536", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:12:08.835726Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:12:12.583Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "tornadoweb", "product": "Tornado", "versions": [{"status": "affected", "version": "0", "lessThan": "6.5.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"}, {"url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-159", "description": "CWE-159 Improper Handling of Invalid Use of Special Elements"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T02:25:57.427Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35536", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:12:16.105Z", "dateReserved": "2026-04-03T02:25:57.035Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-03T02:25:57.427Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tornadoweb:tornado:*:*:*:*:*:*:*:*", "matchCriteriaId": "00D7B62E-5B93-4654-80D9-C7B7BC3A5BB8", "versionEndExcluding": "6.5.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters."}], "id": "CVE-2026-35536", "lastModified": "2026-04-10T15:14:22.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T04:16:53.550", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.5"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-159"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments", "id": "2454716", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454716"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-88", "details": ["A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the `domain`, `path`, and `samesite` arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or manipulation of client-side data."], "name": "CVE-2026-35536", "package_state": [{"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/bitwarden-sdk-server-1-0", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/external-secrets-1-0", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/external-secrets-operator-1-0", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:external_secrets_operator:1", "fix_state": "Affected", "package_name": "redhat-user-workloads/external-secrets-operator-bundle-1-0", "product_name": "External Secrets Operator for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:lightspeed_core", "fix_state": "Not affected", "package_name": "redhat-user-workloads/lightspeed-stack", "product_name": "Lightspeed Core"}, {"cpe": "cpe:/a:redhat:lightspeed_core", "fix_state": "Not affected", "package_name": "redhat-user-workloads/rag-tool", "product_name": "Lightspeed Core"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:8", "fix_state": "Affected", "package_name": "redhat-user-workloads/art-images", "product_name": "Migration Toolkit for Applications 8"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "redhat-user-workloads/lightspeed-ocp-rag", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/bootc-cuda-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/bootc-cuda-disk-image-container-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Affected", "package_name": "redhat-user-workloads/bootc-rocm-3-3", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "tornado", "product_name": "Red Hat Hardened Images 1"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "redhat-user-workloads/llama-stack-cpu", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-llama-stack-core-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-minimal-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-trustyai-nemo-guardrails-server-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-minimal-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-minimal-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-pytorch-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-pytorch-llmcompressor-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-pytorch-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-workbench-jupyter-trustyai-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "python-pep517", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-03T02:25:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35536\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35536\nhttps://github.com/tornadoweb/tornado/releases/tag/v6.5.5\nhttps://github.com/tornadoweb/tornado/security/advisories/GHSA-78cv-mqj4-43f7"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.5.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tornado", "source": "cna", "vendor": "tornadoweb"}, "product": "tornado", "vendor": "tornadoweb"}], "analysis": {"en": {"generated_at": "2026-04-10T16:26:40.535273+00:00", "value": {"mitigation_remediation": ["Apply the Tornado 6.5.5 or later patch immediately", "Verify that domain, path and samesite arguments passed to RequestHandler.set_cookie are validated or originate from trusted sources", "If an update is not possible, avoid using set_cookie with untrusted input or explicitly set safe default values for cookie attributes", "Keep the firewall and web application monitoring configured to detect abnormal cookie behavior"], "summary": {"action": "Patch Immediately", "impact": "Session hijacking via cookie attribute injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Tornado web framework provided by Tornadoweb. Any deployment of Tornado that is running a version earlier than 6.5.5 is susceptible. Systems that rely on RequestHandler.set_cookie to configure user sessions or cross\u2011site tokens are at risk.", "description_and_impact": "In Tornado prior to version 6.5.5 the method RequestHandler.set_cookie failed to validate the domain, path and samesite arguments, enabling an attacker to craft cookie attributes that alter cookie behavior. By injecting special characters an adversary could set cookies with unintended scopes or attribute values, potentially bypassing same\u2011site restrictions or establishing cross\u2011domain cookies. This weakness is classified under CWE\u2011159 (Improper Validation of Input) and CWE\u201188 (Improper Specification of Cookie Use). The resulting impact is the ability to manipulate the session context, leading to session hijacking or privilege escalation within the application.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity vulnerability. The EPSS score of less than 1 percent suggests that exploitation of this weakness is unlikely to be widespread at present. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector is a remote attacker exploiting a web application that incorrectly supplies cookie arguments to set_cookie; the attacker would need to craft a response that triggers the injection path in the target server."}}}}, "created": "2026-04-03T07:31:11.732804+00:00", "updated": "2026-04-13T14:28:00.232967+00:00", "vendors": ["tornadoweb", "tornadoweb$PRODUCT$tornado"]}