CVE-2026-47076
Received Received - Intake
BaseFortify

Publication date: 2026-05-25

Last updated on: 2026-05-25

Assigner: EEF

Description
Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost. This issue affects hackney: from 0.13.0 before 4.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-25
Generated
2026-05-26
AI Q&A
2026-05-26
EPSS Evaluated
N/A
NVD
CVE-2026-47076
EUVD
EUVD-2026-31689
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
benoitc hackney From 0.13.0 (inc) to 4.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an Interpretation Conflict in the benoitc hackney library that allows Server Side Request Forgery (SSRF). The issue arises because hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed, while OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host. This discrepancy means that a URL like http://%31%32%37%2E%30%2E%30%2E%31/ appears to an allowlist validator as a non-IP address string, passing the check, but hackney then decodes it to 127.0.0.1 and opens a TCP connection to the loopback address. Since hackney:request/5 always calls hackney_url:normalize/2 without an opt-out, every request using a binary or list URL is vulnerable. This technique can be used to reach internal services such as cloud instance metadata services, RFC1918 networks, and admin interfaces on localhost.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to bypass allowlist checks and make unauthorized requests from the vulnerable server to internal or protected network resources. This can lead to exposure of sensitive internal services such as cloud instance metadata endpoints, private network addresses, or administrative interfaces that are normally inaccessible externally. Exploiting this SSRF vulnerability could result in information disclosure, unauthorized access, or further attacks within the internal network.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart