CVE-2026-49853

EUVD-2026-44503
Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, SimpleAsyncHTTPClient shallow-copied redirected requests and removed only the Host header, leaving Authorization, auth_username, auth_password, and auth_mode in place when a redirect changed scheme, host, or port. This issue is fixed in version 6.5.6.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
7.7 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
tornadowebtornado
𝑥
< 6.5.6
CNA
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
python3-tornado
suse enterprise sap 15 SP4
4.5.3-150000.3.22.1
fixed
suse enterprise sap 15 SP5
4.5.3-150000.3.22.1
fixed
suse enterprise sap 15 SP6
4.5.3-150000.3.22.1
fixed
suse enterprise server 15 SP4
4.5.3-150000.3.22.1
fixed
suse enterprise server 15 SP5
4.5.3-150000.3.22.1
fixed
suse enterprise server 15 SP6
4.5.3-150000.3.22.1
fixed
python311-tornado6
suse enterprise desktop 15 SP7
6.3.2-150400.9.18.1
fixed
suse enterprise sap 15 SP4
6.3.2-150400.9.18.1
fixed
suse enterprise sap 15 SP5
6.3.2-150400.9.18.1
fixed
suse enterprise sap 15 SP6
6.3.2-150400.9.18.1
fixed
suse enterprise sap 15 SP7
6.3.2-150400.9.18.1
fixed
suse enterprise server 15 SP4
6.3.2-150400.9.18.1
fixed
suse enterprise server 15 SP5
6.3.2-150400.9.18.1
fixed
suse enterprise server 15 SP6
6.3.2-150400.9.18.1
fixed
suse enterprise server 15 SP7
6.3.2-150400.9.18.1
fixed