CVE-2026-48595

Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects

Previous Page: « Back to all CVEs Next Page: See on OSV.dev »

Weakness Type (CWE)

CWE-178 — CWE-178 Improper Handling of Case Sensitivity

CAPEC

• CAPEC-267 — CAPEC-267 Leverage Alternate Encoding

CVSS 4.0 Score

8.2

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability description

Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.

Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.

This issue affects tesla: from 1.4.0 before 1.18.3.

Affected

pkg:hex/tesla

Module	Source File	Routine
Tesla.Middleware.FollowRedirects	lib/tesla/middleware/follow_redirects.ex	Tesla.Middleware.FollowRedirects.call/3

Status	Type	Version	Changes / Fixed in
affected	semver ⓘ	1.4.0	< 1.18.3

pkg:github/elixir-tesla/tesla

Module	Source File	Routine
Tesla.Middleware.FollowRedirects	lib/tesla/middleware/follow_redirects.ex	Tesla.Middleware.FollowRedirects.call/3

Status	Type	Version	Changes / Fixed in
affected	git ⓘ	2d937d5813	< db963dba67

Configurations

The application must include Tesla.Middleware.FollowRedirects in its Tesla middleware pipeline.

Workarounds

Normalize all header keys to lowercase before passing them to Tesla. Use “authorization” instead of “Authorization” when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers.

References

• https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m vendor-advisory related
• https://osv.dev/vulnerability/EEF-CVE-2026-48595 related
• https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182 patch

Credits

• Finder: Peter Ullrich
• Remediation developer: Yordis Prieto
• Analyst: Jonatan Männchen

CVE record as JSON:  GET /cves/CVE-2026-48595.json
OSV record as JSON:  GET /osv/EEF-CVE-2026-48595.json