Description
Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.

Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.

This issue affects tesla: from 1.4.0 before 1.18.3.
Published: 2026-06-02
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Tesla middleware treats HTTP header names as case-sensitive when determining which headers to strip on cross-origin redirects, but the HTTP specification defines header names as case-insensitive. Because the library preserves the exact casing supplied by callers, a header set as "Authorization" does not match the lowercase filter value "authorization" and is therefore passed along to the redirect target. This flaw lets an attacker who can influence the Location response (e.g., by controlling their own endpoint or compromising an upstream service) receive bearer tokens or other sensitive credentials that were intended for the original origin. The vulnerability is classified as CWE‑178 (Improper Handling of Case Sensitivity).

Affected Systems

The Elixir Tesla HTTP client library for Elixir, versions 1.4.0 through 1.18.2, is affected. Versions before 1.4.0 are not listed as vulnerable and updates through 1.18.3 and later include the fix.

Risk and Exploitability

With a CVSS base score of 8.2, this flaw is considered high severity. Although the EPSS score is not available, the vulnerability is not in the CISA KEV catalog, so exploit prevalence is uncertain. An attacker can exploit the issue by issuing or manipulating a cross-origin redirect that results in the client following a Location header to a third‑party domain. The leaked Authorization header can then be used for unauthorized access. The impact can range from compromised user accounts to full credential compromise, depending on the sensitive data contained in the header. Due to the lack of an EPSS metric, the likelihood remains unclear, but the potential for credential theft mandates immediate attention.

Generated by OpenCVE AI on June 3, 2026 at 04:19 UTC.

Remediation

Vendor Workaround

Normalize all header keys to lowercase before passing them to Tesla. Use "authorization" instead of "Authorization" when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers.

OpenCVE Recommended Actions

  • Upgrade Tesla to version 1.18.3 or later to apply the official fix
  • Normalize all header keys to lowercase and use "authorization" when configuring headers via Tesla.put_header/3 or Tesla.Middleware.Headers to ensure the header is stripped on redirects
  • If an upgrade is not immediately possible, avoid sending Authorization headers on requests that may follow redirects or actively monitor response Location headers for unexpected redirects to untrusted origins

Generated by OpenCVE AI on June 3, 2026 at 04:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request. This issue affects tesla: from 1.4.0 before 1.18.3.
Title Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
First Time appeared Elixir-tesla
Elixir-tesla tesla
Weaknesses CWE-178
CPEs cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*
Vendors & Products Elixir-tesla
Elixir-tesla tesla
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Elixir-tesla Tesla
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-02T19:12:24.989Z

Reserved: 2026-05-22T09:36:56.834Z

Link: CVE-2026-48595

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:38.390

Modified: 2026-06-02T20:16:38.390

Link: CVE-2026-48595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses