CVE-2026-48856: httpc leaks Authorization header to cross-origin redirect targets
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- *
- Affected Products
- 2
HarborGuard Analysis
Synopsis
This is a sensitive data exposure vulnerability in the Erlang OTP inets httpc HTTP client. A remote attacker who controls a server that a victim application contacts can issue a cross-origin 3xx redirect to a second attacker-controlled server; because httpc_response copies the Authorization and Proxy-Authorization headers verbatim to the redirected request without checking whether the target host has changed, those credentials are forwarded to the redirect target. Successful exploitation allows the attacker to steal HTTP Basic credentials (including those derived from URL userinfo) and Proxy-Authorization tokens. A patched-image rebuild at the fixed commit (688d748d6f7a6a06b13b662a1d3de8af97079612) and the fixed OTP point releases is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Erlang OTP or the inets library directly. Any image layer containing an affected inets version (5.10 through before 9.7.1, 9.6.2.2, or 9.3.2.6) is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.1 HIGH and weights it further against each environment's compliance policy, surfacing the finding to the team or inbox configured for high-severity credential-exposure issues. Per-environment policy rules can also escalate or suppress based on whether httpc is reachable from untrusted network paths.
AvailableA patched-image rebuild targeting OTP 29.0.2, 28.5.0.2, or 27.3.4.13 (inets 9.7.1, 9.6.2.2, or 9.3.2.6 respectively) becomes available on HarborGuard for every image flagged as affected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the resulting image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to operate a server reachable over the network that the victim application contacts via httpc, and must also control a second server to receive the forwarded credentials.
- AuthenticationNot required
No account or credential on the target system is needed; the attacker only needs to control the initial server that issues the redirect.
- Victim interactionRequired
The victim application (or a user whose credentials it forwards) must make an httpc request to the attacker-controlled server, making this a social-engineering or supply-chain misdirection vector.
- Attack complexityDetail
Exploit conditions are straightforward and reliable: autoredirect defaults to true and no race condition or special memory layout is required, so any httpc caller that does not explicitly disable automatic redirects is affected.
Blast Radius
- Reads the Authorization header forwarded in the redirected request, recovering HTTP Basic credentials including those embedded as URL userinfo.
- Reads the Proxy-Authorization header forwarded in the same redirect, recovering proxy credentials used by the application.
- Gains any credential material sent in subsequent requests if the application re-uses the same httpc session toward the redirect target.
How HarborGuard Handles This
Available on HarborGuard: images containing affected Erlang OTP inets versions are matched automatically within minutes of CVE ingestion. A rebuild targeting the fixed point releases (OTP 29.0.2, 28.5.0.2, or 27.3.4.13) is available for every affected image. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads, with a median turnaround of roughly 90 minutes for high-severity findings. Where auto-remediation is not enabled or while a rebuild is being validated, compensating controls worth applying include: setting the httpc option {autoredirect, false} in all httpc:request calls and handling redirects manually after stripping the Authorization header; applying network policy to restrict which external hosts httpc-using services may contact; and rotating any credentials that may have been exposed if the vulnerability was present in a deployed image before patching.
- Erlang / OTP< * (from 5.10)
- Erlang / OTP< * (from 17.0) · < 688d748d6f7a6a06b13b662a1d3de8af97079612 (from 84adefa331c4159d432d22840663c38f155cd4c1)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N