PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47070 benoitc CVE debrief

A sensitive data exposure vulnerability exists in the hackney Erlang HTTP client library, specifically affecting HTTP/3 redirect handling. When follow_redirect is enabled, the HTTP/3 handler in src/hackney_h3.erl forwards original request headers—including Authorization and Cookie headers—to redirect targets without performing cross-origin validation. This allows credentials to be leaked to unintended third-party hosts when a server responds with a 3xx redirect to a different origin. The vulnerability exists because hackney_h3.erl lacks the maybe_strip_auth_on_redirect/2 protection present in the main hackney.erl module, which was added to address CVE-2018-1000007. Affected versions range from 3.1.1 through versions prior to 4.0.1. The fix involves implementing equivalent authorization stripping logic for HTTP/3 redirects.

Vendor
benoitc
Product
hackney
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-27
Advisory published
2026-05-25
Advisory updated
2026-05-27

Who should care

Organizations using hackney for HTTP/3 client requests in Erlang or Elixir applications, particularly those handling authenticated API calls with follow_redirect enabled. Developers maintaining applications that process sensitive tokens or session cookies through HTTP/3 connections. Security teams monitoring for credential leakage vulnerabilities in HTTP client libraries.

Technical summary

The vulnerability stems from inconsistent security controls across HTTP protocol implementations within the same library. While hackney's HTTP/1.x and HTTP/2 handlers include maybe_strip_auth_on_redirect/2 to strip sensitive headers on cross-origin redirects (controlled by the location_trusted option), the HTTP/3 handler hackney_h3.erl was implemented without this protection. When a client with follow_redirect enabled sends a request containing Authorization or Cookie headers, and the server responds with a 3xx redirect to a different host, the HTTP/3 handler forwards the original headers unchanged. This violates the same-origin policy expectations for credential handling and enables server-side request forgery-style credential leakage. The fix commit c58d5b50bade146360b85caf3dc8065807b08246 adds equivalent header stripping logic to the HTTP/3 redirect path.

Defensive priority

medium

Recommended defensive actions

  • Upgrade hackney to version 4.0.1 or later
  • If immediate upgrade is not possible, disable follow_redirect for HTTP/3 requests or implement application-level redirect handling with explicit cross-origin validation
  • Review application logs for unexpected credential transmission to third-party hosts following HTTP/3 redirects
  • Audit code for reliance on location_trusted option, as this protection does not extend to HTTP/3 redirects in affected versions
  • Monitor for dependency updates in downstream packages that bundle hackney

Evidence notes

CVE published 2026-05-25; modified 2026-05-26. NVD status: Undergoing Analysis. CVSS 4.0 vector indicates network attack vector with low attack complexity, requiring user interaction, with high confidentiality impact to the vulnerable component. CWE-601 (URL Redirection to Untrusted Site) identified as secondary weakness. Fix commit c58d5b50bade146360b85caf3dc8065807b08246 available.

Official resources

2026-05-25