CVE-2026-48861
Deferred Deferred - Pending Action
CRLF Injection in Mint HTTP Library

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: EEF

Description
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\s, target, " HTTP/1.1\r\n"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection. Mint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions. This issue affects mint: from 0.1.0 before 1.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-48861
EUVD
EUVD-2026-33938
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
elixir-mint mint From 0.1.0 (inc) to 1.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-48861 is a CRLF injection vulnerability in the Mint HTTP/1 client library for Elixir, affecting versions prior to 1.9.0.

The vulnerability arises because the library directly inserts user-supplied HTTP method and target values into the HTTP request line without validating or sanitizing them.

This allows an attacker to inject CRLF (carriage return and line feed) sequences, which can prematurely terminate the request line, inject arbitrary HTTP headers, or smuggle additional malicious HTTP requests onto the same TCP connection.

While Mint 1.7.0 introduced validation for the request target to reject CRLF and control characters, the HTTP method field remained unvalidated, making the vulnerability exploitable by default.

Impact Analysis

This vulnerability can allow attackers to perform HTTP request splitting and HTTP request smuggling attacks.

By injecting CRLF sequences, attackers can forge HTTP headers such as Host or Authorization, poison caches, or send unauthorized requests to unintended endpoints.

The impact includes potential unauthorized access, manipulation of data, or disruption of services on the upstream server.

The CVSS score is low (2.1), indicating limited impact under typical conditions, but the attack complexity is low and no privileges are required, making exploitation feasible.

Detection Guidance

This vulnerability involves CRLF injection via unvalidated HTTP method or target fields in requests sent using the Mint HTTP client library. Detection involves monitoring HTTP requests for suspicious or malformed request lines that contain unexpected CRLF sequences or injected headers.

You can detect exploitation attempts by capturing and inspecting HTTP traffic on your network or system for request lines that contain embedded CRLF characters or multiple HTTP requests pipelined on the same TCP connection.

  • Use packet capture tools like tcpdump or Wireshark to capture HTTP traffic and filter for suspicious request lines.
  • Example tcpdump command to capture HTTP traffic on port 80 or 443 (if unencrypted): tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443'
  • Use grep or similar tools to search logs or captured data for CRLF sequences (%0d%0a) or suspicious header injections.
  • Inspect application logs for unusual HTTP method values or malformed request lines that could indicate injection attempts.
Mitigation Strategies

To mitigate this vulnerability, upgrade the Mint HTTP client library to version 1.9.0 or later, where validation of the HTTP method field has been added to prevent CRLF injection.

If upgrading immediately is not possible, ensure that any user-supplied input used as HTTP method or target in Mint.HTTP.request/5 is properly sanitized to reject CRLF and control characters.

Avoid passing attacker-controlled input directly as the HTTP method or target without validation.

Review and apply the patch from commit fad091454c which enforces RFC 9110 token rules on the HTTP method.

Compliance Impact

The vulnerability allows attackers to inject CRLF sequences into HTTP requests, enabling HTTP request splitting and smuggling. This can lead to unauthorized access, data manipulation, or service disruption on upstream servers.

Such unauthorized access and data manipulation risks could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the CVSS score is low (2.1), indicating limited impact under typical conditions, and the vulnerability requires attacker-controlled input to exploit.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48861. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart