{"containers":{"cna":{"affected":[{"cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["httpc_response"],"packageName":"inets","packageURL":"pkg:otp/inets?repository_url=https:%2F%2Fgithub.com%2Ferlang%2Fotp&vcs_url=git%20https:%2F%2Fgithub.com%2Ferlang%2Fotp.git","product":"OTP","programFiles":["src/http_client/httpc_response.erl"],"programRoutines":[{"name":"httpc_response:redirect/2"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"9.7.1","status":"unaffected"},{"at":"9.6.2.2","status":"unaffected"},{"at":"9.3.2.6","status":"unaffected"}],"lessThan":"*","status":"affected","version":"5.10","versionType":"otp"}]},{"collectionURL":"https://github.com","cpes":["cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*"],"defaultStatus":"unknown","modules":["httpc_response"],"packageName":"erlang/otp","packageURL":"pkg:github/erlang/otp","product":"OTP","programFiles":["lib/inets/src/http_client/httpc_response.erl"],"programRoutines":[{"name":"httpc_response:redirect/2"}],"repo":"https://github.com/erlang/otp","vendor":"Erlang","versions":[{"changes":[{"at":"29.0.2","status":"unaffected"},{"at":"28.5.0.2","status":"unaffected"},{"at":"27.3.4.13","status":"unaffected"}],"lessThan":"*","status":"affected","version":"17.0","versionType":"otp"},{"lessThan":"688d748d6f7a6a06b13b662a1d3de8af97079612","status":"affected","version":"84adefa331c4159d432d22840663c38f155cd4c1","versionType":"git"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"27.3.4.13","vulnerable":true},{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"28.5.0.2","versionStartIncluding":"28.0","vulnerable":true},{"criteria":"cpe:2.3:a:erlang:erlang\\/otp:*:*:*:*:*:*:*:*","versionEndExcluding":"29.0.2","versionStartIncluding":"29.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"AND"}],"credits":[{"lang":"en","type":"finder","value":"Jonatan Männchen / EEF"},{"lang":"en","type":"remediation developer","value":"Jonatan Männchen / EEF"},{"lang":"en","type":"remediation reviewer","value":"Ingela Anderton Andin"},{"lang":"en","type":"remediation reviewer","value":"Konrad Pietrzak"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Sensitive Data Exposure vulnerability in Erlang OTP inets (<tt>httpc_response</tt> module) allows Retrieve Embedded Sensitive Data.<p>The <tt>httpc</tt> client forwards the <tt>Authorization</tt> and <tt>Proxy-Authorization</tt> request headers to redirect targets without checking whether the redirect crosses an origin boundary. <tt>httpc_response:redirect/2</tt> constructs the redirected request by updating only the <tt>host</tt> field of the header record; all other fields (including <tt>authorization</tt> and <tt>proxy_authorization</tt>) are copied verbatim. The redirect target host is never compared against the original host.</p><p><tt>autoredirect</tt> defaults to <tt>true</tt>, so this affects all <tt>httpc</tt> callers that do not explicitly disable automatic redirects.</p><p>An attacker who controls a server that the victim contacts via <tt>httpc</tt> can issue a cross-origin 3xx redirect to a server they also control. The <tt>Authorization</tt> header (including Basic credentials derived from URL userinfo via <tt>httpc_request:handle_user_info/2</tt>) is forwarded to the redirect target, allowing credential theft. The same applies to the <tt>Proxy-Authorization</tt> header.</p><p>This vulnerability is associated with program files <tt>lib/inets/src/http_client/httpc_response.erl</tt>.</p><p>This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.</p>"}],"value":"Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.\n\nThe httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.\n\nautoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.\n\nAn attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.\n\nThis vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.\n\nThis issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6."}],"impacts":[{"capecId":"CAPEC-37","descriptions":[{"lang":"en","value":"CAPEC-37 Retrieve Embedded Sensitive Data"}]}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":7.1,"baseSeverity":"HIGH","privilegesRequired":"NONE","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"PASSIVE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-601","description":"CWE-601 URL Redirection to Untrusted Site ('Open Redirect')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-10T14:41:51.616Z","orgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","shortName":"EEF"},"references":[{"tags":["vendor-advisory","related"],"url":"https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh"},{"tags":["related"],"url":"https://cna.erlef.org/cves/CVE-2026-48856.html"},{"tags":["related"],"url":"https://osv.dev/vulnerability/EEF-CVE-2026-48856"},{"tags":["x_version-scheme"],"url":"https://www.erlang.org/doc/system/versions.html#order-of-versions"},{"tags":["patch"],"url":"https://github.com/erlang/otp/commit/688d748d6f7a6a06b13b662a1d3de8af97079612"}],"source":{"discovery":"INTERNAL"},"title":"httpc leaks Authorization header to cross-origin redirect targets","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<ul><li>Set <tt>{autoredirect, false}</tt> in the <tt>httpc:request/4</tt> options and handle redirects manually, stripping the <tt>Authorization</tt> header when the redirect crosses an origin boundary.</li><li>Ensure that <tt>httpc</tt> is only used to contact trusted servers that will not issue cross-origin redirects.</li></ul>"}],"value":"* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary.\n* Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects."}],"x_generator":{"engine":"cvelib 1.8.0"}}},"cveMetadata":{"assignerOrgId":"6b3ad84c-e1a6-4bf7-a703-f496b71e49db","assignerShortName":"EEF","cveId":"CVE-2026-48856","datePublished":"2026-06-10T14:41:51.616Z","dateReserved":"2026-05-25T20:44:10.697Z","dateUpdated":"2026-06-10T14:41:51.616Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}