Fluid Attacks Database

Description

pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to set_cookie_generate_callback returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	pyopenssl	>=22.0.0 <26.0.0	26.0.0
debian 13	pyopenssl	=25.0.0-1 \|\| =25.1.0-1 \|\| =25.1.0-2 \|\| =25.3.0-1 \|\| =25.3.0-2 \|\| =26.0.0-1 \|\| =26.1.0-1	-
debian 12	pyopenssl	=23.0.0-1 \|\| =23.2.0-1 \|\| =24.0.0-1 \|\| =24.0.0-2 \|\| =24.0.0-3 \|\| =24.0.0-4 \|\| =24.0.0-5 \|\| =24.1.0-1 \|\| =24.2.1-1 \|\| =24.3.0-1 \|\| =25.0.0-1 \|\| =25.1.0-1 \|\| =25.1.0-2 \|\| =25.3.0-1 \|\| =25.3.0-2 \|\| =26.0.0-1 \|\| =26.1.0-1	-
debian 14	pyopenssl	=25.0.0-1 \|\| =25.1.0-1 \|\| =25.1.0-2 \|\| =25.3.0-1 \|\| =25.3.0-2 \|\| >=0 <26.0.0-1	26.0.0-1

Aliases

1. CVE-2026-274592. NVD-2026-274593. OSV-2026-274594. OSV-DEBIAN-2026-274595. GHSA-5pwr-322w-8jr46. GCVE-2026-274597. SECURITY-TRACKER-CVE-2026-27459

References

1. https://github.com/pyca/pyopenssl/security/advisories/GHSA-5pwr-322w-8jr42. https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd4083. https://github.com/pyca/pyopenssl/blob/358cbf29c4e364c59930e53a270116249581eaa3/CHANGELOG.rst

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.