CVE-2026-48595
Authorization Header Leak in Tesla
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: EEF
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elixir-tesla | tesla | to 1.18.3 (exc) |
| elixir-tesla | tesla | From 0.6.0 (inc) to 1.18.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper handling of HTTP header case sensitivity in the Tesla HTTP client library, leading to credential leakage during cross-origin redirects. Detection involves monitoring HTTP traffic for Authorization headers being sent to unexpected or third-party redirect destinations, especially where the header casing might bypass filtering.
To detect this on your network or system, you can inspect HTTP requests and responses for cross-origin redirects that include Authorization headers with canonical casing (e.g., "Authorization") forwarded to redirect destinations.
Suggested commands to help detect this issue include using network traffic analysis tools like tcpdump or Wireshark to capture HTTP traffic and grep or similar tools to filter for Authorization headers in redirect requests.
- Use tcpdump to capture HTTP traffic on port 80 or 443 (if unencrypted or decrypted): tcpdump -i any -A 'tcp port 80 or tcp port 443'
- Filter captured traffic for HTTP responses with Location headers indicating redirects: grep -i 'Location:' captured_traffic.log
- Search for Authorization headers with canonical casing in HTTP requests sent to redirect destinations: grep -i 'Authorization:' captured_traffic.log
- Use tools like curl with verbose output to manually test endpoints for redirects and observe headers: curl -v -L https://example.com
Note that the vulnerability arises because Tesla does not normalize header keys to lowercase before filtering, so detection focuses on identifying Authorization headers with canonical casing being forwarded during redirects.
Can you explain this vulnerability to me?
CVE-2026-48595 is a vulnerability in the Tesla HTTP client library for Elixir, specifically in the Tesla.Middleware.FollowRedirects module. The issue arises because Tesla strips security-sensitive headers like "Authorization" and "Host" on cross-origin redirects using a case-sensitive comparison against a lowercase filter list.
HTTP header names are case-insensitive according to RFC 7230, but Tesla preserves header keys exactly as provided without normalizing their case. This means that headers with canonical casing such as "Authorization" do not match the lowercase filter and are forwarded to the redirect destination.
As a result, an attacker who can control or influence the redirect location can receive sensitive credentials like bearer tokens, leading to credential leakage to a third-party origin.
How can this vulnerability impact me? :
This vulnerability can lead to the leakage of sensitive authentication credentials, such as bearer tokens, to unauthorized third-party origins during cross-origin redirects.
An attacker who controls or influences the redirect destination can capture these credentials, potentially gaining unauthorized access to protected resources or user accounts.
The impact is significant as it compromises the confidentiality of authentication tokens without requiring special configuration beyond the use of standard header casing.
The CVSS v4.0 score for this vulnerability is 8.2 (HIGH), indicating a high risk of exploitation and serious security consequences.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should normalize HTTP header keys to lowercase before passing them to the Tesla library or use lowercase header names such as "authorization" instead of "Authorization".
Upgrading Tesla to version 1.18.3 or later is recommended, as this version includes a fix that implements case-insensitive header filtering and stricter header stripping during redirects to prevent credential leakage.
- Use lowercase "authorization" headers temporarily if upgrading immediately is not possible.
- Ensure that your application does not forward security-sensitive headers like Authorization or Host on cross-origin redirects by applying the updated Tesla middleware or equivalent fixes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Tesla allows credential leakage to third-party origins during cross-origin redirects by improperly handling case sensitivity in HTTP headers. This leakage of sensitive authentication credentials, such as bearer tokens in the Authorization header, can lead to unauthorized disclosure of personal or protected information.
Such unauthorized disclosure of sensitive credentials can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and sensitive information against unauthorized access and leaks.
Therefore, applications using affected versions of Tesla (from 1.4.0 before 1.18.3) without mitigation may be at risk of non-compliance due to potential exposure of confidential authentication data.