Medium6.1Red Hat Linux Updated
Open Redirect vulnerability via HTTP Location header normalization
CVE-2026-44889 Published Jun 22, 2026Updated by vendor Jun 22, 2026
Affected products & platforms
Red Hat LinuxUnclassified
Summary
Open Redirect vulnerability via HTTP Location header normalization. Red Hat rates this moderate (CVSS 6.1). Weakness: CWE-601.
Affected versions
- < 1.8.10
- < 3.10
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Mitigation checklist
Recommended fix / mitigation
- This vulnerability in WebOb is only exploitable when running under Python 3.10 or later, where urllib.parse.urlsplit strips ASCII tab, carriage return, and newline characters before parsing. Red Hat Enterprise Linux, OpenShift Container Platform, Red Hat OpenStack Platform, Red Hat Ceph Storage, and Red Hat Quay all ship python-webob with Python 3.9 or earlier as the platform Python runtime, and are therefore not affected by this vulnerability. Fedora and EPEL ship python-webob under Python 3.12+, where the vulnerability is exploitable. Users running WebOb on Python 3.10+ should upgrade to WebOb 1.8.10. As a workaround, applications can validate that redirect targets start with a scheme (e.g. http:// or https://) and the expected host before assigning to Response.location.
Official advisory · high-confidence parse· fetched 7 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.