Tornado is a Python web framework and asynchronous networking library. Prior to 6.5.6, SimpleAsyncHTTPClient shallow-copied redirected requests and removed only the Host header, leaving Authorization, authusername, authpassword, and auth_mode in place when a redirect changed scheme, host, or port. This issue is fixed in version 6.5.6.
{
"cwe_ids": [
"CWE-200"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49853.json",
"cna_assigner": "GitHub_M"
}