CVE-2026-48856: Erlang OTP httpc Credential Leakage via Cross-Origin Redirects
Erlang's httpc HTTP client has a credential-leakage flaw in how it handles HTTP redirects. When a server sends a redirect response (3xx status), httpc automatically follows it to the new location while preserving the original Authorization and Proxy-Authorization headers—including any embedded credentials. An attacker controlling both the initial target server and the redirect destination can trick the client into sending credentials to an attacker-controlled domain. Since automatic redirects are enabled by default, this affects most applications using httpc unless they explicitly disable the feature.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the httpc_response:redirect/2 function within Erlang OTP's inets HTTP client library. When constructing a redirected request, the code updates only the Host header field while copying all other headers verbatim to the new request. Critically, the function does not validate whether the redirect target shares the same origin as the original request. This permits cross-origin credential leakage: a victim application making an authenticated request to an attacker-controlled server receives a 3xx redirect to another attacker-controlled domain, and httpc blindly forwards the Authorization header (potentially containing Basic auth credentials parsed from URL userinfo) and Proxy-Authorization header to the redirect destination. The httpc_request:handle_user_info/2 function derives Basic credentials from URL userinfo fields, which are then included in subsequent headers and forwarded across origins during redirect.
Business impact
Any service or application using Erlang OTP's httpc client for outbound HTTP requests is at risk of credential exposure if those requests are directed toward untrusted or compromised endpoints. The exposure occurs transparently—developers are unlikely to realize that credentials embedded in URLs or configured for proxy authentication are being leaked to redirect targets. For organizations relying on Erlang-based microservices, message brokers (e.g., RabbitMQ), or distributed systems using httpc for inter-service or external API communication, a single malicious redirect can expose service-to-service authentication tokens, proxy credentials, or user-supplied credentials. This is particularly dangerous in environments where HTTP Basic Auth or credentials-in-URLs remain common practices.
Affected systems
Erlang OTP versions 17.0 through 29.0.1 are affected, with three patched versions: 29.0.2, 28.5.0.2, and 27.3.4.13. The corresponding inets library versions are 5.10 through 9.7.0, with patches available in inets 9.7.1, 9.6.2.2, and 9.3.2.6. Any application built on or embedding Erlang/OTP in this range using httpc for HTTP client operations—including frameworks, message queues, and distributed systems—may be vulnerable if they do not explicitly set the autoredirect option to false or if they use default settings.
Exploitability
Exploitation requires a victim application to make an httpc request to an attacker-controlled server, which then issues a cross-origin redirect. The attack requires no user interaction (UI:N in CVSS), authenticated context (the victim must be making authenticated requests), and network-level access to respond with a malicious redirect. The barrier to exploitation is low for an attacker operating a compromised or malicious endpoint, making this a practical attack vector in supply-chain scenarios, DNS hijacking, or network-level compromise. However, the authenticated request context (PR:L) means the victim application must be making requests with credentials in the first place, limiting scope to applications that use credential-based authentication.
Remediation
Upgrade Erlang OTP to version 29.0.2 or later, or apply the targeted patches for earlier versions: OTP 28.5.0.2 and 27.3.4.13. These patches modify httpc_response:redirect/2 to validate that redirect targets share the same origin (scheme, host, port) as the original request, and to strip Authorization and Proxy-Authorization headers when crossing origin boundaries. For applications unable to patch immediately, disable automatic redirects by setting the autoredirect option to false in httpc configuration and handle redirects explicitly in application logic with origin validation.
Patch guidance
Verify your Erlang OTP version with erl -version. If running OTP 29.0.1 or earlier (except patched versions 29.0.2, 28.5.0.2, or 27.3.4.13), upgrade immediately. Patch testing should focus on verifying that legitimate cross-origin redirects are now blocked and that intra-origin redirects continue to function. Regression testing is minimal, as the fix only restricts behavior; applications relying on credential forwarding across origins will need explicit code changes to handle redirects manually. Vendors distributing embedded Erlang (e.g., message brokers, telephony platforms) should prioritize patching releases containing affected OTP versions.
Detection guidance
Monitor httpc or HTTP client logs for redirect (3xx) responses, particularly from external or untrusted domains. Correlate outbound authenticated requests with subsequent requests to different origins. Network-level detection is challenging without application instrumentation, but DNS monitoring or proxy logs showing credential headers in requests to unexpected origins may surface exploitation. For proactive assessment, scan application dependencies to identify Erlang OTP versions and validate that either (a) httpc is not used, (b) autoredirect is explicitly disabled, or (c) OTP has been patched. Code review should identify httpc:request/N calls without explicit autoredirect configuration.
Why prioritize this
Although rated MEDIUM (CVSS 6.5), this vulnerability merits high prioritization for organizations using Erlang. The flaw is in core infrastructure—the default HTTP client—affecting all httpc users transparently. Credential exposure is not ephemeral or theoretical; it directly enables account takeover, lateral movement, or supply-chain compromise. The default-enabled autoredirect setting means affected organizations are vulnerable without any misconfiguration; the burden is on patching, not remediation. Additionally, detecting exploitation is difficult and may go unnoticed. For applications already using service-to-service authentication or talking to external APIs, this is a direct path to credential compromise.
Risk score, explained
The CVSS 6.5 MEDIUM rating reflects the authenticated context (PR:L) required to trigger the flaw—the victim application must already be making authenticated requests. However, the impact is HIGH confidentiality loss (C:H) for credential data, with no integrity or availability impact (I:N, A:N). The attack vector is network-based (AV:N) with low attack complexity (AC:L) once a server is compromised or controlled. The rating does not fully capture organizational risk, because in practice, many Erlang deployments handle critical inter-service communication over HTTP, making credential leakage highly damaging despite the authenticated precondition.
Frequently asked questions
Do I need to manually handle redirects if I patch?
No. The patch modifies httpc to block credential forwarding across origins while maintaining support for same-origin redirects. Your application continues to work as before, except that cross-origin redirects no longer leak credentials. If your application intentionally performs cross-origin redirects and requires credentials on the target, you will need to update your code to disable autoredirect and handle redirects explicitly. This is unlikely for most applications.
Does this affect Erlang applications using HTTPS?
Yes. The vulnerability applies to both HTTP and HTTPS. The origin check is based on scheme, host, and port—a redirect from https://trusted.example.com to http://attacker.com or https://attacker.com will leak credentials regardless of TLS use.
What if I use httpc only for trusted internal APIs?
You are still at risk if httpc is used to communicate with any server you do not fully control. Internal networks can be compromised, DNS can be hijacked, and internal services can be misconfigured. A proactive approach is to upgrade OTP anyway and disable autoredirect unless your application has an explicit need.
How do I check if my Erlang application uses httpc?
Search your application and dependency source code for calls to httpc:request/N or inets:start(httpc, ...). Review your application's HTTP client configuration. If you are using a framework (e.g., Elixir's HTTPoison, Erlang's gun), check whether it delegates to httpc under the hood or uses an alternative HTTP client library.
This analysis is based on the CVE description and public Erlang OTP advisory information as of the publication date. Patch version numbers and affected version ranges are drawn directly from the source advisory; verify compatibility with your specific deployment before applying updates. This page does not constitute security advice for any specific organization or system. The CVSS score is provided by the upstream source; organizational risk may differ based on exposure, usage patterns, and network architecture. Exploitation requires specific conditions (authenticated requests, attacker-controlled redirect); not all Erlang deployments are equally exposed. Consult your Erlang vendor's security advisory for detailed remediation and compatibility guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10856MEDIUMMISP Dashboard URL Validation Bypass – Phishing Risk
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-11477MEDIUMhsweb OAuth2 Open Redirect Vulnerability – Patch Guide
- CVE-2026-21826MEDIUMHCL Digital Experience Host Header Injection Vulnerability
- CVE-2026-28301MEDIUMOpen Redirect Vulnerability (MEDIUM CVSS 4.8)
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)
- CVE-2026-41008MEDIUMSpring Authorization Server Open Redirect Vulnerability (CVSS 6.1)
- CVE-2026-41569MEDIUMauthentik WS-Federation URL Validation Bypass Leading to Credential Theft