CVE-2026-49756 wojtekmach CVE debrief

Who should care

The vulnerability affects applications using the Req library (versions from 0.5.3 before 0.6.0) that forward user-controlled filenames or field names through `Req.post/2` with `form_multipart`. This could allow an attacker to inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request sent downstream by the victim service.

Technical summary

The `Req.Utils.encode_form_part/2` function is vulnerable to CRLF injection attacks. Specifically, if a value contains a double quote (”), carriage return (r), or newline (n), it can close the surrounding quoted value and start a new header line. An additional `r n -- <boundary>` can terminate the current part and prepend a smuggled part of the attacker's choice. This issue is particularly exploitable when the value is a `%File.Stream{}`, as the filename defaults to `Path.basename(stream.path)`, and POSIX filenames can legitimately contain `r` and `n`.

Defensive priority

The CVSS score for this vulnerability is 2.1, indicating a Low severity. However, the impact can be significant if the application is configured to forward user-controlled data through Req.

Recommended defensive actions

• Upgrade to Req version 0.6.0 or later.
• Avoid using user-controlled filenames or field names with `Req.post/2` and `form_multipart`.
• Validate and sanitize user input to prevent CRLF injection.

Evidence notes

The CVE record was published on 2026-06-08T16:16:44.040Z and modified on 2026-06-09T15:20:13.097Z. The vulnerability was reported through multiple sources, including GitHub and the NVD.

Official resources