THE Tornado web framework has addressed three critical security vulnerabilities in its version 6.5.6 update. The most severe issue (CVE-2026-49853) is a credential leak where the SimpleAsyncHTTPClient retains the original Authorization header during redirects, potentially exposing user credentials across different origins. The second vulnerability (CVE-2026-49855) is a gzip bomb that could lead to excessive memory usage, fixed by imposing size limits on decompressed responses.
The third flaw (CVE-2026-49854) involves a memory exposure vulnerability in the websocket mask function. Users are advised to update immediately to the latest version or implement temporary mitigations.