CVE-2026-3446

Base64 decoding stops at first padded quad by default

Severity Score

6.0

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data.

*Credits: Serhiy Storchaka

CVSS Scores

Python SFv4 6.0

Attack Vector

Network

Attack Complexity

High

Attack Requirements

Present

Privileges Required

Low

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

None

Integrity

High

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2026-03-02 CVE Reserved
2026-04-10 CVE Published
2026-04-13 CVE Updated
2026-05-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-345: Insufficient Verification of Data Authenticity

CAPEC

References (6)

URL	Tag	Source
https://github.com/python/cpython/issues/145264	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474	2026-04-13
https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e	2026-04-13
https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa	2026-04-13
https://github.com/python/cpython/pull/145267	2026-04-13

URL	Date	SRC
https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53	2026-04-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				< 3.13.13 Search vendor "Python Software Foundation" for product "CPython" and version " < 3.13.13"		en		Affected
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				>= 3.14.0 < 3.14.4 Search vendor "Python Software Foundation" for product "CPython" and version " >= 3.14.0 < 3.14.4"		en		Affected