PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56813 elixir-plug CVE debrief

CVE-2026-56813 is a LOW severity vulnerability in elixir-plug plug affecting data confidentiality. The Plug.Conn.Cookies.encode/2 function builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes. This could lead to attribute injection through ';', enabling cookie tossing and session fixation. Users of elixir-plug plug from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3 should review and apply patches.

Vendor
elixir-plug
Product
plug
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of elixir-plug plug from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3 should review and apply patches. Operators, platform administrators, vulnerability management teams, and security teams should assess the impact of this vulnerability on their systems and prioritize patching.

Technical summary

The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes. An application that places attacker-controlled data into a cookie value or attribute lets an attacker inject a ';' to append or override cookie attributes. This could lead to attribute injection through ';', enabling cookie tossing and session fixation.

Defensive priority

Apply patches to prevent attribute injection through ';'. Review and update affected versions of elixir-plug plug. Monitor for suspicious cookie activity.

Recommended defensive actions

  • Apply patches to prevent attribute injection through ';'
  • Review and update affected versions of elixir-plug plug
  • Monitor for suspicious cookie activity
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-10T13:16:20.663Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The Plug.Conn.Cookies.encode/2 function builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes. This could lead to attribute injection through ';', enabling cookie tossing and session fixation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T13:16:20.663Z and has not been modified since then.