Description
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.

The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.

autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.

An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.

This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.

This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
Published: 2026-06-10
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Erlang OTP's httpc client. When an HTTP request encounters a 3xx redirect, the client copies the Authorization and Proxy-Authorization headers to the new request without verifying if the redirect target is on the same origin. This behavior allows an attacker who controls a redirect target to receive the victim's credentials, including Basic authentication derived from the URL userinfo. The flaw originates from httpc_response:redirect/2 updating only the host field of the header record and not checking the host against the original. As a result, credentials can be exfiltrated when a cross‑origin redirect occurs. The weakness constitutes a CWE‑601 Open Redirect that leads to Sensitive Data Exposure.

Affected Systems

This issue affects Erlang:OTP versions prior to 29.0.2, 28.5.0.2, and 27.3.4.13, which correspond to inets releases before 9.7.1, 9.6.2.2, and 9.3.2.6. Users running OTP 17.0 through 28.5.0.1, 27.3.4.12, or earlier are vulnerable unless they have disabled automatic redirects. The vulnerability is present in the http_client component of OTP’s inets library.

Risk and Exploitability

With a CVSS score of 7.1, the vulnerability is considered high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. An attacker who can influence the HTTP response from a server the victim contacts—such as by operating a malicious intermediate server—can issue a 3xx redirect to their own controlled domain. Because httpc’s autoredirect defaults to true, this occurs on all clients unless explicitly disabled. The internal logic of httpc_response:redirect/2 guarantees the forwarded Authorization header, making credential theft reliable. Therefore the likelihood of exploitation in environments where clients contact untrusted endpoints is significant.

Generated by OpenCVE AI on June 10, 2026 at 17:22 UTC.

Remediation

Vendor Workaround

* Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary. * Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects.

OpenCVE Recommended Actions

  • Set {autoredirect, false} in httpc:request options and handle redirects manually, ensuring that Authorization and Proxy-Authorization headers are omitted when the new host differs from the original.
  • If processing redirects manually, strip any sensitive headers before forwarding to a cross‑origin target.
  • Restrict the use of the httpc client to servers you control or that can be verified to never return cross‑origin redirects.
  • Upgrade Erlang OTP to a fixed release once one is available (e.g., 29.0.2 or later, or the appropriate inets patch).

Generated by OpenCVE AI on June 10, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
Title httpc leaks Authorization header to cross-origin redirect targets
First Time appeared Erlang
Erlang erlang\/otp
Weaknesses CWE-601
CPEs cpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*
Vendors & Products Erlang
Erlang erlang\/otp
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Erlang Erlang\/otp
cve-icon MITRE

Status: PUBLISHED

Assigner: EEF

Published:

Updated: 2026-06-10T16:24:02.066Z

Reserved: 2026-05-25T20:44:10.697Z

Link: CVE-2026-48856

cve-icon Vulnrichment

Updated: 2026-06-10T16:23:58.154Z

cve-icon NVD

Status : Received

Published: 2026-06-10T16:17:10.053

Modified: 2026-06-10T16:17:10.053

Link: CVE-2026-48856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses