EEF-CVE-2026-48595

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-48595.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-48595.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-48595

Aliases

CVE-2026-48595
GHSA-9m9w-gxf7-rh8m

Published

2026-06-02T19:08:48.339Z

Modified

2026-06-04T04:45:31.067Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects

Details

Summary

Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.

Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.

This issue affects tesla: from 1.4.0 before 1.18.3.

Workaround

Normalize all header keys to lowercase before passing them to Tesla. Use "authorization" instead of "Authorization" when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers.

Configuration

The application must include Tesla.Middleware.FollowRedirects in its Tesla middleware pipeline.

Database specific

{
    "cwe_ids": [
        "CWE-178"
    ],
    "cpe_ids": [
        "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-267"
    ]
}

References

Credits

- Peter Ullrich - FINDER
- Yordis Prieto - REMEDIATION_DEVELOPER
- Jonatan Männchen - ANALYST

Affected packages

Hex / tesla

Package

Name: tesla
Purl: pkg:hex/tesla

Affected ranges

Type: SEMVER
Events: Introduced

1.4.0

Fixed

1.18.3

Affected versions

1.*

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.5.0

1.5.1

1.6.0

1.6.1

1.7.0

1.8.0

1.8.1

1.9.0

1.10.0

1.10.1

1.10.2

1.10.3

1.11.0

1.11.1

1.11.2

1.12.0

1.12.1

1.12.2

1.12.3

1.13.0

1.13.1

1.13.2

1.14.0

1.14.1

1.14.2

1.14.3

1.15.0

1.15.1

1.15.2

1.15.3

1.16.0

1.17.0

1.18.0

1.18.1

1.18.2

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-48595.json"

Git / github.com/elixir-tesla/tesla.git

Affected ranges

Type: GIT
Repo: https://github.com/elixir-tesla/tesla.git
Events: Introduced

2d937d5813d7cda5cd726f41824985fb655c920f

Fixed

db963dba67651b9abd1fc420a1d9679cf6efe182

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-48595.json"