CVE-2026-56813
Received Received - Intake

Cookie Attribute Injection in Plug

Vulnerability report for CVE-2026-56813, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: EEF

Description

Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes. The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes. An application that places attacker-controlled data into a cookie value or attribute (for example via Plug.Conn.put_resp_cookie/4 when reflecting a username or preference) lets an attacker inject a ';' to append or override cookie attributes (such as Domain and Path scope, or dropping the Secure and HttpOnly flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by Plug.Conn header validation, so HTTP response splitting is not possible, but attribute injection through ';' is not prevented. This issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
elixir-plug plug From 0.1.0 (inc) to 1.16.6 (exc)
elixir-plug plug From 1.17.0 (inc) to 1.17.4 (exc)
elixir-plug plug From 1.18.0 (inc) to 1.18.5 (exc)
elixir-plug plug From 1.19.0 (inc) to 1.19.5 (exc)
elixir-plug plug From 1.20.0 (inc) to 1.20.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-141 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Elixir Plug library's Plug.Conn.Cookies.encode/2 function, which constructs the Set-Cookie HTTP response header. The function directly interpolates cookie values and attributes such as path, domain, and same_site without properly neutralizing the semicolon (';') delimiter that separates cookie attributes.

An attacker can exploit this by injecting a semicolon into attacker-controlled data that is reflected into a cookie value or attribute. This allows the attacker to append or override cookie attributes, such as Domain, Path, Secure, or HttpOnly flags.

While carriage return, line feed, and null bytes are rejected to prevent HTTP response splitting, the injection of cookie attributes via semicolons is not prevented, enabling attacks like cookie tossing and session fixation.

Compliance Impact

This vulnerability allows an attacker to inject or override HTTP cookie attributes, potentially enabling cookie tossing and session fixation attacks by manipulating cookie attributes such as Domain, Path, Secure, or HttpOnly flags.

Such attacks can undermine the security of session management and data protection mechanisms, which are critical for compliance with standards like GDPR and HIPAA that require safeguarding personal data and ensuring secure user sessions.

If exploited, this vulnerability could lead to unauthorized access or session hijacking, thereby risking the confidentiality and integrity of personal data, which may result in non-compliance with these regulations.

Mitigation involves upgrading to patched versions of the Plug library or validating and rejecting semicolons in untrusted cookie data to prevent attribute injection.

Impact Analysis

This vulnerability can impact you by allowing an attacker to manipulate cookie attributes in your web application. Specifically, an attacker can inject or override cookie attributes such as Domain and Path scope or remove security flags like Secure and HttpOnly.

Such manipulation can lead to cookie tossing, where malicious cookies interfere with legitimate ones, or session fixation, where an attacker forces a user to use a known session ID, potentially leading to unauthorized access.

Because the vulnerability allows attribute injection without proper sanitization, it can undermine the security assumptions of cookie handling in affected applications.

Detection Guidance

This vulnerability involves injection of semicolons (;) into HTTP cookie attributes, which can be detected by inspecting Set-Cookie headers for unexpected or malformed cookie attributes that include semicolons.

To detect this on your system or network, you can monitor HTTP responses for Set-Cookie headers containing semicolons in cookie values or attributes where they should not appear.

  • Use command-line tools like curl or wget to fetch HTTP responses and inspect Set-Cookie headers, for example: curl -I http://your-app | grep Set-Cookie
  • Use packet capture tools like tcpdump or Wireshark to capture HTTP traffic and filter for Set-Cookie headers containing semicolons in cookie values.
  • Search application logs or code for usage of Plug.Conn.put_resp_cookie/4 or similar functions that reflect untrusted data into cookies without validation.

Note that the vulnerability specifically allows injection of semicolons into cookie attributes, so detection focuses on identifying semicolons in cookie values or attributes that could alter cookie behavior.

Mitigation Strategies

The primary mitigation is to upgrade the Elixir Plug library to a patched version where the vulnerability is fixed. The fix includes validation that rejects semicolons in cookie attributes and values.

  • Upgrade to Plug versions 1.16.6 or later, 1.17.4 or later, 1.18.5 or later, 1.19.5 or later, or 1.20.3 or later, as these versions include the fix.
  • If immediate upgrade is not possible, ensure that untrusted data reflected into cookies does not contain semicolons by validating or sanitizing input before setting cookies.
  • Review application code that uses Plug.Conn.put_resp_cookie/4 or similar functions to prevent injection of semicolons into cookie attributes.

These steps prevent attackers from injecting or overriding cookie attributes, mitigating risks such as cookie tossing and session fixation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56813. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart