EEF-CVE-2026-47070

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-47070.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-47070.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-47070

Aliases

CVE-2026-47070
GHSA-h73q-4w9q-82h4

Published

2026-05-25T14:00:46.420Z

Modified

2026-05-25T14:26:25.776108695Z

Severity

6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney

Details

Summary

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackneyh3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with followredirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin.

The main hackney.erl module has maybestripauthonredirect/2 (guarded by the locationtrusted option) to address CVE-2018-1000007, but hackneyh3.erl is missing this protection entirely.

This issue affects hackney: from 3.1.1 before 4.0.1.

Database specific

{
    "cpe_ids": [
        "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-37"
    ],
    "cwe_ids": [
        "CWE-601"
    ]
}

References

Credits

- Peter Ullrich - FINDER
- Benoit Chesneau - REMEDIATION_DEVELOPER
- Jonatan Männchen - ANALYST

Affected packages

Hex / hackney

Package

Name: hackney
Purl: pkg:hex/hackney

Affected ranges

Type: SEMVER
Events: Introduced

3.1.1

Fixed

4.0.1

Affected versions

3.*

3.1.1

3.1.2

3.2.0

3.2.1

4.*

4.0.0

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-47070.json"

Git / github.com/benoitc/hackney