CVE-2026-49853
Public on 2026-07-14
Modified on 2026-07-16
Description
Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, SimpleAsyncHTTPClient shallow-copied redirected requests and removed only the Host header, leaving Authorization, auth_username, auth_password, and auth_mode in place when a redirect changed scheme, host, or port. This issue is fixed in version 6.5.6.
Severity
See what this means
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2023 | python-flit | Not Affected | ||
| Amazon Linux 2 - Core | python-tornado | Pending Fix | ||
| Amazon Linux 2023 | python-tornado | Pending Fix | ||
| Amazon Linux 2 - Core | python3-tornado | Pending Fix | ||
| Amazon Linux 2023 | python3.13-tornado | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |