CVE-2026-48856

NameCVE-2026-48856
DescriptionSensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139727

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
erlang (PTS)bullseye1:23.2.6+dfsg-1+deb11u1vulnerable
bullseye (security)1:23.2.6+dfsg-1+deb11u4vulnerable
bookworm1:25.2.3+dfsg-1+deb12u4vulnerable
bookworm (security)1:25.2.3+dfsg-1+deb12u1vulnerable
trixie1:27.3.4.1+dfsg-1+deb13u2vulnerable
forky, sid1:29.0.2+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
erlangsource(unstable)1:29.0.2+dfsg-11139727

Notes

https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh
https://cna.erlef.org/cves/CVE-2026-48856.html
https://osv.dev/vulnerability/EEF-CVE-2026-48856
Fixed by: https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612 (OTP-29.0.2, OTP-28.5.0.2, OTP-27.3.4.13)

Search for package or bug name: Reporting problems