CVE-2026-48856: Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards ...

Description

Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0

7.1/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.34%

25.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-601

Affected Software

Vendor	Product	Versions
Erlang	Erlang\/Inets	>= 5.10, < 9.3.2.6
Erlang	Erlang\/Inets	>= 9.6, < 9.6.2.2
Erlang	Erlang\/Inets	>= 9.7, < 9.7.1
Erlang	Erlang\/Otp	>= 17.0, < 27.3.4.13
Erlang	Erlang\/Otp	>= 28.0, < 28.5.0.2
Erlang	Erlang\/Otp	>= 29.0, < 29.0.2

References

https://cna.erlef.org/cves/CVE-2026-48856.htmlMitigation, Third Party Advisory
https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612Patch
https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjhMitigation, Vendor Advisory
https://osv.dev/vulnerability/EEF-CVE-2026-48856Mitigation, Third Party Advisory
https://www.erlang.org/doc/system/versions.html#order-of-versionsProduct

Timeline

Published: Jun 10, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-48856?

Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.

How severe is CVE-2026-48856?

CVE-2026-48856 has a CVSS score of 7.1/10 (HIGH severity). The EPSS model estimates a 0.34% probability of exploitation in the next 30 days.

How do I fix CVE-2026-48856?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.