CVE-2026-26308

Envoy CVE-2026-26308 affects the Envoy RBAC filter. The issue arises from how multiple HTTP header values are validated: instead of validating each value separately, Envoy concatenates all values into a single comma-separated string, allowing bypass of Deny rules under RBAC. Affects versions prio...

EUVD-2026-10798

Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation...

tornado: Tornado Quadratic DoS via Repeated Header Coalescing

A denial of service flaw has been discovered in the Tornado networking library. In Tornado, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation when the...

OESA-2026-1130 python-tornado security update

Tornado is an open source version of the scalable, non-blocking web server and tools. Security Fixes: Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended...

CVE-2025-67725 Tornado is Vulnerable to Quadratic DoS via Repeated Header Coalescing

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation...