CVE-2026-49853 - Tornado cross-origin redirect credential leak

CVE-2026-49853 affects Tornado’s SimpleAsyncHTTPClient. In vulnerable versions, when a request follows a redirect to a different origin, Tornado removes only the Host header and can still forward Authorization, auth_username, auth_password, and related auth state to the redirected destination.

This is an outbound-client data exposure issue. If the application talks to a URL that an attacker can influence and follow_redirects=True is in play, credentials meant for one service can be disclosed to another.

When to use it

Use this recipe when a Python repository depends on Tornado and uses SimpleAsyncHTTPClient or AsyncHTTPClient for outbound requests that may follow redirects while carrying credentials. It is especially useful for webhook delivery, OAuth/OIDC metadata fetches, package/model downloads, internal API clients, SSRF-prone URL fetchers, scanners, and agent tools that accept user or tenant supplied URLs.

Use it to upgrade Tornado and add redirect hygiene tests. Do not use it to send real credentials to external redirect targets.

Inputs

  • Python dependency files, lockfiles, containers, SBOMs, generated dependency reports, images, and deployment artifacts that may resolve tornado.
  • Outbound client helpers using SimpleAsyncHTTPClient, AsyncHTTPClient, HTTPRequest, follow_redirects, inline auth, Authorization, cookies, service-account headers, or auth_username / auth_password.
  • Data-flow evidence showing whether request URLs are trusted config, tenant supplied, unauthenticated input, webhook provider controlled, OAuth/provider supplied, agent/tool supplied, or model-provider supplied.
  • Destination trust policy for high-value credentials: scheme, host, port, redirect policy, allow-list, token scope, token lifetime, and rotation owner.
  • Safe regression fixtures for cross-origin redirects that use synthetic credentials and local test servers only.

Affected versions

  • Vulnerable: tornado < 6.5.6
  • Fixed: 6.5.6+
  • Default-risk setting: follow_redirects=True

Indicator-of-exposure

  • The repository resolves tornado < 6.5.6.
  • Application code uses SimpleAsyncHTTPClient or AsyncHTTPClient against attacker-influenced URLs.
  • Requests include Authorization, inline credentials, or service-account headers and permit redirects.

Quick checks:

rg -n "SimpleAsyncHTTPClient|AsyncHTTPClient|follow_redirects|Authorization|auth_username|auth_password|HTTPRequest\\(" .
python -m pip show tornado

Windows:

rg -n "SimpleAsyncHTTPClient|AsyncHTTPClient|follow_redirects|Authorization|auth_username|auth_password|HTTPRequest\\(" .
python -m pip show tornado

Do not test by leaking real credentials to attacker-controlled redirect hosts.

Remediation strategy

  • Upgrade Tornado to 6.5.6+.
  • Review outbound clients that follow redirects while carrying credentials.
  • Add explicit redirect policies or destination allow-lists for high-trust service credentials.
  • Reduce long-lived shared credentials in clients that can reach untrusted domains.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-49853 / GHSA-3x9g-8vmp-wqvf, a Tornado redirect
credential leak in `SimpleAsyncHTTPClient`. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Tornado, hardens outbound
  redirect handling, adds safe regression checks, and documents operator
  follow-up, or
- TRIAGE.md if this repository does not control an affected Tornado client.

## Rules

- Scope only CVE-2026-49853 and directly related outbound HTTP client usage.
- Treat bearer tokens, passwords, cookies, and service-account credentials as
  sensitive.
- Do not send real credentials to attacker-controlled redirect targets.
- Do not auto-merge.

## Steps

1. Inventory every Tornado dependency, lockfile, image, and client helper.
2. Determine whether any resolved version is below `6.5.6`.
3. Search for redirect-following outbound requests that carry credentials.
4. If no controlled affected client exists, stop with `TRIAGE.md`.
5. Upgrade Tornado to `6.5.6+` and refresh dependency artifacts.
6. Add safe regression coverage showing cross-origin redirects do not retain
   auth material.
7. Tighten outbound URL trust rules where service credentials can reach
   attacker-influenced destinations.
8. Add a PR body section named `CVE-2026-49853 operator actions` covering
   versions before and after, which clients were audited, and whether any
   credential rotation is advised.
9. Run relevant validation: package install, tests, client regressions,
   linting, and dependency/security scans.
10. Use PR title:
    `fix(sec): remediate CVE-2026-49853 in Tornado clients`.

## Stop conditions

- No affected Tornado client is controlled here.
- Verification would require disclosing live credentials to an external host.
- Outbound client behavior is owned by another service outside this repository.

Verification - what the reviewer looks for

  • No controlled install resolves tornado < 6.5.6.
  • Redirect regression tests prove auth state is dropped on cross-origin redirects.
  • High-trust outbound clients no longer mix untrusted destinations with redirect-following credentials.

Watch for

  • Upgrading Tornado while vendored helper code reimplements the old behavior.
  • Assuming AsyncHTTPClient usage is safe without checking the concrete client.
  • Leaving long-lived credentials on clients that accept arbitrary URLs.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades Tornado to 6.5.6+, audits redirect-following credentialed clients, adds safe regression tests proving auth state drops on cross-origin redirects, tightens outbound URL trust rules, refreshes artifacts, and documents credential review.
  • TRIAGE.md when no controlled affected Tornado dependency, client helper, image, or deployment artifact exists.

The output must list versions before/after, credentialed clients audited, attacker-influenced URL sources, redirect policy changes, validation commands, and whether rotation is advised. It must not leak real credentials, contact attacker-controlled redirect targets with live tokens, capture authorization headers, or remove useful outbound validation to silence the alert.

References