CVE-2026-1299
📋 TL;DR
This vulnerability in Python's email module allows header injection when serializing email messages. Attackers can inject malicious headers by exploiting improper newline quoting in the BytesGenerator class. This affects applications that use Python's email module with LiteralHeader for email serialization.
💻 Affected Systems
- Python
- Applications using Python's email module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Email spoofing, phishing attacks, email header manipulation leading to information disclosure or social engineering attacks
Likely Case
Email header injection allowing attackers to modify email metadata, potentially bypassing spam filters or altering email routing
If Mitigated
Minimal impact if email validation and sanitization are implemented at application level
🎯 Exploit Status
Exploitation requires control over email header content and specific usage patterns
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python versions with commits 052e55e7d44718fe46cbba0ca995cb8fcc359413, 0a925ab591c45d6638f37b5e57796f36fa0e56d8, 7877fe424415bc4a13045e62a90a7277413d8cb9, 842ce19a0c0b58d61591e8f6a708c38db1fb94e4
Vendor Advisory: https://cve.org/CVERecord?id=CVE-2024-6923
Restart Required: No
Instructions:
1. Update Python to version containing the fix commits. 2. Verify email module version. 3. Test email serialization functionality.
🔧 Temporary Workarounds
Input Validation
allImplement strict input validation for email headers to prevent newline injection
Use Alternative Email Libraries
allTemporarily use third-party email libraries that are not affected
🧯 If You Can't Patch
- Implement WAF rules to detect and block email header injection attempts
- Deploy email gateway filtering to sanitize outgoing email headers
🔍 How to Verify
Check if Vulnerable:
Check Python version and verify if email module uses affected BytesGenerator with LiteralHeaderCheck Version:
python --versionVerify Fix Applied:
Test email serialization with headers containing newlines to ensure they are properly quoted📡 Detection & Monitoring
Log Indicators:
- Unusual email header patterns
- Multiple newline characters in email headers
- Email serialization errors
Network Indicators:
- Email traffic with malformed headers
- SMTP connections with suspicious header content
SIEM Query:
search email_headers contains "\n" OR email_serialization_error🔗 References
- https://cve.org/CVERecord?id=CVE-2024-6923
- https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413
- https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8
- https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9
- https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4
- https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36
- https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a
- https://github.com/python/cpython/issues/144125
- https://github.com/python/cpython/pull/144126
- https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/
