EEF-CVE-2026-48856

See a problem?
Please try reporting it to the source first.

Source

https://cna.erlef.org/osv/EEF-CVE-2026-48856.html

Import Source

https://cna.erlef.org/osv/EEF-CVE-2026-48856.json

JSON Data

https://api.osv.dev/v1/vulns/EEF-CVE-2026-48856

Aliases

CVE-2026-48856
GHSA-m75x-4vwg-ggjh

Published

2026-06-10T14:41:51.616Z

Modified

2026-06-11T04:45:35.836Z

Severity

7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

httpc leaks Authorization header to cross-origin redirect targets

Details

Summary

Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.

The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.

autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.

An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.

This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.

This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.

Workaround

* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary. * Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects.

Database specific

{
    "cwe_ids": [
        "CWE-601"
    ],
    "cpe_ids": [
        "cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"
    ],
    "capec_ids": [
        "CAPEC-37"
    ]
}

References

Credits

- Jonatan Männchen / EEF - FINDER
- Jonatan Männchen / EEF - REMEDIATION_DEVELOPER
- Ingela Anderton Andin - REMEDIATION_REVIEWER
- Konrad Pietrzak - REMEDIATION_REVIEWER

Affected packages

Git / github.com/erlang/otp

Affected ranges

Type: GIT
Repo: https://github.com/erlang/otp
Events: Introduced

84adefa331c4159d432d22840663c38f155cd4c1

Fixed

688d748d6f7a6a06b13b662a1d3de8af97079612

Affected versions

OTP-17.*

OTP-17.0

OTP-18.*

OTP-18.0

OTP-18.0-rc1

OTP-19.*

OTP-19.0

OTP-19.0-rc1

OTP-19.0-rc2

OTP-20.*

OTP-20.0

OTP-20.0-rc1

OTP-20.0-rc2

OTP-21.*

OTP-21.0

OTP-21.0-rc1

OTP-21.0-rc2

OTP-22.*

OTP-22.0

OTP-22.0-rc1

OTP-22.0-rc2

OTP-22.0-rc3

OTP-23.*

OTP-23.0

OTP-23.0-rc1

OTP-23.0-rc2

OTP-23.0-rc3

OTP-24.*

OTP-24.0

OTP-24.0-rc1

OTP-24.0-rc2

OTP-24.0-rc3

OTP-25.*

OTP-25.0

OTP-25.0-rc1

OTP-25.0-rc2

OTP-25.0-rc3

OTP-26.*

OTP-26.0

OTP-26.0-rc1

OTP-26.0-rc2

OTP-26.0-rc3

OTP-27.*

OTP-27.0

OTP-27.0-rc1

OTP-27.0-rc2

OTP-27.0-rc3

OTP-27.1

OTP-27.2

OTP-27.3

OTP-27.3.1

OTP-27.3.2

OTP-27.3.3

OTP-27.3.4

OTP_17.*

OTP_17.0-rc1

OTP_17.0-rc2

Other

OTP_R13B03

OTP_R13B04

OTP_R14A

OTP_R14B

OTP_R14B01

OTP_R14B02

OTP_R14B03

OTP_R15A

OTP_R15B

OTP_R16A_RELEASE_CANDIDATE

OTP_R16B

patch-base-27

Database specific

source

"https://cna.erlef.org/osv/EEF-CVE-2026-48856.json"