CVE-2026-48856
Received Received - Intake
Sensitive Data Exposure in Erlang OTP via HTTP Client Redirect

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: EEF

Description
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-48856
EUVD
EUVD-2026-36058
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
erlang otp From 17.0 (inc) to 29.0.2 (exc)
erlang inets From 5.10 (inc) to 9.7.1 (exc)
erlang otp 29.0.2
erlang otp 28.5.0.2
erlang otp 27.3.4.13
erlang inets 9.7.1
erlang inets 9.6.2.2
erlang inets 9.3.2.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Sensitive Data Exposure issue in the Erlang OTP inets library's httpc client. The httpc client forwards the Authorization and Proxy-Authorization headers to redirect targets without verifying if the redirect crosses an origin boundary. Specifically, when a redirect occurs, the httpc_response:redirect/2 function updates only the host field of the header but copies all other fields, including sensitive authorization headers, verbatim. Since automatic redirects (autoredirect) are enabled by default, this affects all httpc callers that do not disable this feature.

An attacker who controls a server that a victim contacts via httpc can issue a cross-origin 3xx redirect to another server they control. Because the Authorization header is forwarded to the redirect target, the attacker can steal credentials, including Basic authentication details derived from URL userinfo. The same applies to the Proxy-Authorization header.

Impact Analysis

This vulnerability can lead to credential theft by exposing sensitive Authorization and Proxy-Authorization headers to untrusted redirect targets. If an attacker controls a server that a vulnerable httpc client contacts, they can cause the client to follow a cross-origin redirect and forward sensitive credentials to the attacker's server.

This exposure can compromise authentication credentials, potentially allowing unauthorized access to protected resources or services that rely on these credentials.

Detection Guidance

Detection of this vulnerability involves identifying usage of the Erlang OTP httpc client with automatic redirects enabled, which forwards Authorization and Proxy-Authorization headers to cross-origin redirect targets.

To detect potential exploitation or presence of the vulnerability on your system, you can:

  • Check if your Erlang OTP version is affected (versions from 17.0 before 29.0.2, 28.5.0.2, and 27.3.4.13).
  • Audit your application code or configuration for usage of httpc with autoredirect set to true (default).
  • Monitor network traffic for HTTP 3xx redirects where Authorization or Proxy-Authorization headers are forwarded to a different origin.

Suggested commands or approaches include:

  • Use packet capture tools like tcpdump or Wireshark to filter HTTP traffic and inspect headers during redirects, e.g., `tcpdump -i any -A 'tcp port 80 or tcp port 443'` and look for Authorization headers sent to redirected hosts.
  • Search your codebase for httpc usage and check if `{autoredirect, false}` is set, e.g., `grep -r 'httpc:request' ./`.
  • Check running Erlang/OTP version with `erl -eval 'erlang:system_info(otp_release), halt().' -noshell` to confirm if it is vulnerable.
Mitigation Strategies

Immediate mitigation steps for CVE-2026-48856 include disabling automatic redirects in the httpc client and manually handling redirects to prevent forwarding sensitive headers across origins.

  • Set the `{autoredirect, false}` option in your `httpc:request/4` calls to disable automatic redirects.
  • Manually handle HTTP redirects in your application code, ensuring that Authorization and Proxy-Authorization headers are stripped when the redirect crosses an origin boundary.
  • Ensure that the httpc client is only used to contact trusted servers that will not issue cross-origin redirects.
  • Upgrade Erlang OTP and inets to patched versions: OTP versions 29.0.2, 28.5.0.2, or 27.3.4.13 and inets versions 9.7.1, 9.6.2.2, or 9.3.2.6.
Compliance Impact

This vulnerability allows sensitive data exposure by forwarding Authorization and Proxy-Authorization headers to cross-origin redirect targets without proper origin checks. Such unauthorized disclosure of credentials can lead to credential theft.

Exposure of sensitive authentication data can violate data protection requirements in common standards and regulations such as GDPR and HIPAA, which mandate the protection of personal and sensitive information against unauthorized access or disclosure.

Therefore, systems using affected versions of Erlang OTP's httpc client without mitigation may fail to comply with these regulations due to the risk of unauthorized credential exposure.

Mitigations such as disabling automatic redirects or restricting usage to trusted servers are necessary to maintain compliance and reduce the risk of sensitive data leakage.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart