Description
Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin.

The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely.

This issue affects hackney: from 3.1.1 before 4.0.1.
Published: 2026-05-25
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HTTP/3 redirect handler in hackney forwards all original request headers unchanged to any redirect target without performing a cross‑origin check. When a client issues a request with follow_redirect enabled and includes Authorization or Cookie headers, a 3xx redirect to another host will cause the client to resend those sensitive headers verbatim to the new origin, thereby leaking credentials. According to the CVE data, this flaw is classified as CWE‑601, indicating an open redirect leading to unintended data exposure.

Affected Systems

The vulnerability affects the Erlang HTTP client library hackney from version 3.1.1 up to, but not including, 4.0.1. The affected product is benoitc hackney (Erlang).

Risk and Exploitability

The CVSS score of 6 denotes moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is network‑based: an attacker who can cause the client to follow a redirect to a domain under the attacker’s control may obtain the client’s Authorization or Cookie headers and thereby gain unauthorized access. exploitation requires the client to be configured to follow redirects and to send credentials, so it is contingent on the client’s settings but, once triggered, results in credential exposure.

Generated by OpenCVE AI on May 25, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade hackney to version 4.0.1 or later to apply the vendor’s fix that prevents redirect header leakage.
  • If upgrading is not immediately feasible, disable the follow_redirect option or strip Authorization and Cookie headers before making an HTTP/3 request.
  • Configure or enforce the location_trusted option in hackney to ensure that redirects are only followed to trusted origins.

Generated by OpenCVE AI on May 25, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin. The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely. This issue affects hackney: from 3.1.1 before 4.0.1.
Title HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney
First Time appeared Benoitc
Benoitc hackney
Weaknesses CWE-601
CPEs cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
Vendors & Products Benoitc
Benoitc hackney
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Benoitc Hackney
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-05-27T15:41:16.046Z

Reserved: 2026-05-18T17:28:08.322Z

Link: CVE-2026-47070

cve-icon Vulnrichment

Updated: 2026-05-26T15:47:11.688Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T15:16:22.010

Modified: 2026-05-27T13:55:50.247

Link: CVE-2026-47070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T18:00:15Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')