CVE-2026-47070
Received Received - Intake
Sensitive Data Exposure in hackney via HTTP/3 Redirect

Publication date: 2026-05-25

Last updated on: 2026-05-25

Assigner: EEF

Description
Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin. The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely. This issue affects hackney: from 3.1.1 before 4.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-25
Generated
2026-05-26
AI Q&A
2026-05-26
EPSS Evaluated
N/A
NVD
CVE-2026-47070
EUVD
EUVD-2026-31692
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
benoitc hackney From 3.1.1 (inc) to 4.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Sensitive Data Exposure issue in the benoitc hackney HTTP client library, specifically in its HTTP/3 redirect handler (hackney_h3.erl). When a client makes an HTTP/3 request with the follow_redirect option enabled and includes sensitive headers like Authorization or Cookie, the client forwards these headers unchanged to the redirect target, even if the redirect points to a different host. This happens because the HTTP/3 redirect handler does not perform any cross-origin checks before forwarding the headers.

While the main hackney module has a mechanism (maybe_strip_auth_on_redirect/2) to prevent this by stripping authentication headers on redirects to untrusted locations, this protection is missing in the HTTP/3 redirect handler, leading to potential exposure of sensitive credentials to unintended hosts.


How can this vulnerability impact me? :

This vulnerability can lead to the unintended disclosure of sensitive credentials such as Authorization tokens or Cookies to third-party or malicious hosts when an HTTP/3 redirect occurs. If an attacker controls or monitors the redirect target, they could capture these credentials and use them to impersonate the user or gain unauthorized access to protected resources.

This exposure increases the risk of account compromise, data breaches, and unauthorized actions performed on behalf of the user, potentially leading to further security incidents.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows sensitive data such as Authorization or Cookie headers to be forwarded to unintended third-party origins without proper cross-origin checks. This exposure of sensitive credentials can lead to unauthorized access or data leakage.

Such exposure of sensitive data can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over the handling and sharing of personal and sensitive information to prevent unauthorized disclosure.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart