Erlang OTP httpc_response.erl host redirect

Summaryinfo

A vulnerability was found in Erlang OTP. It has been rated as problematic. This issue affects some unknown processing in the library lib/inets/src/http_client/httpc_response.erl. Performing a manipulation of the argument host results in redirect. This vulnerability is cataloged as CVE-2026-48856. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability, which was classified as problematic, was found in Erlang OTP (version unknown). This affects an unknown function in the library lib/inets/src/http_client/httpc_response.erl. The manipulation of the argument host with an unknown input leads to a redirect vulnerability. CWE is classifying the issue as CWE-601. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. This is going to have an impact on integrity. The summary by CVE is:

Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.

The weakness was shared by Jonatan Männchen as GHSA-m75x-4vwg-ggjh. The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2026-48856 since 05/25/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1204.001 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 320495 (Linux Distros Unpatched Vulnerability : CVE-2026-48856), which helps to determine the existence of the flaw in a target environment.

Upgrading eliminates this vulnerability. Applying the patch 688d748d6f7a6a06b13b662a1d3de8af97079612 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (320495). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• Erlang

Name

• OTP

License

• open-source

Website

• Product: https://github.com/erlang/otp/

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion