CVE-2026-44546

NameCVE-2026-44546
Descriptiondaphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1138864

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-daphne (PTS)bullseye3.0.1-1vulnerable
bookworm4.0.0-1vulnerable
trixie4.1.2-2vulnerable
forky, sid4.2.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-daphnesource(unstable)(unfixed)1138864

Notes

[trixie] - python-daphne <no-dsa> (Minor issue)
[bookworm] - python-daphne <no-dsa> (Minor issue)
[bullseye] - python-daphne <postponed> (Minor issue)
Fixed by: https://github.com/django/daphne/commit/2628b7b2e6a196afff58defee3d77671a28de631 (4.2.2)
Search for package or bug name: Reporting problems