PatchSiren cyber security CVE debrief
CVE-2026-56813 elixir-plug CVE debrief
CVE-2026-56813 is a LOW severity vulnerability in elixir-plug plug affecting data confidentiality. The Plug.Conn.Cookies.encode/2 function builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes. This could lead to attribute injection through ';', enabling cookie tossing and session fixation. Users of elixir-plug plug from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3 should review and apply patches.
- Vendor
- elixir-plug
- Product
- plug
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of elixir-plug plug from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3 should review and apply patches. Operators, platform administrators, vulnerability management teams, and security teams should assess the impact of this vulnerability on their systems and prioritize patching.
Technical summary
The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes. An application that places attacker-controlled data into a cookie value or attribute lets an attacker inject a ';' to append or override cookie attributes. This could lead to attribute injection through ';', enabling cookie tossing and session fixation.
Defensive priority
Apply patches to prevent attribute injection through ';'. Review and update affected versions of elixir-plug plug. Monitor for suspicious cookie activity.
Recommended defensive actions
- Apply patches to prevent attribute injection through ';'
- Review and update affected versions of elixir-plug plug
- Monitor for suspicious cookie activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record was published on 2026-07-10T13:16:20.663Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The Plug.Conn.Cookies.encode/2 function builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes. This could lead to attribute injection through ';', enabling cookie tossing and session fixation.
Official resources
-
CVE-2026-56813 CVE record
CVE.org
-
CVE-2026-56813 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T13:16:20.663Z and has not been modified since then.