Skip to main content

Elixir Tesla EUVDEUVD-2026-34014

| CVE-2026-48595 HIGH
Improper Handling of Case Sensitivity (CWE-178)
2026-06-02 EEF GHSA-9m9w-gxf7-rh8m
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 02, 2026 - 20:27 vuln.today
Analysis Generated
Jun 02, 2026 - 20:27 vuln.today
CVSS changed
Jun 02, 2026 - 20:22 NVD
8.2 (HIGH)

DescriptionCVE.org

Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.

Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.

This issue affects tesla: from 1.4.0 before 1.18.3.

AnalysisAI

Credential leakage in elixir-tesla (Tesla HTTP client for Elixir) versions 1.4.0 through 1.18.2 allows Authorization and Host headers to be forwarded to attacker-controlled origins during cross-origin HTTP redirects. The Tesla.Middleware.FollowRedirects component compares header names case-sensitively against a lowercase filter list, so headers using the RFC 7235 canonical casing (e.g., 'Authorization') bypass stripping and reach the redirect target. No public exploit identified at time of analysis, but the upstream fix is committed and a patched release (1.18.3) is available.

Technical ContextAI

Tesla is a widely used HTTP client library for the Elixir/Erlang ecosystem, typically embedded in service clients, SDKs, and webhook integrations. The vulnerability sits in lib/tesla/middleware/follow_redirects.ex, where filter_headers/3 used k not in @filter_headers with @filter_headers hardcoded to the lowercase strings 'authorization' and 'host'. Because Tesla preserves caller-supplied header keys verbatim and HTTP header names are case-insensitive per RFC 7230/9110, any header set with non-lowercase casing - including the canonical 'Authorization' form emitted by nearly every HTTP library, documentation example, and SDK - fails the comparison and survives the redirect. This is a textbook CWE-178 (Improper Handling of Case Sensitivity) issue: a security-critical comparison performed on text whose semantics are case-insensitive. The remediation commit (db963db) replaces the membership check with String.downcase(key) in drop and additionally expands the stripped set to cover hop-by-hop headers, Cookie, Proxy-Authorization, Referer, Origin, and request-body metadata on 303 method changes, aligning with RFC 9110 §15.4.

RemediationAI

Vendor-released patch: upgrade tesla to 1.18.3 or later (fix commit db963dba67651b9abd1fc420a1d9679cf6efe182, advisory GHSA-9m9w-gxf7-rh8m). Update mix.exs to {:tesla, "~> 1.18.3"} and run mix deps.update tesla. If an immediate upgrade is not possible, the most effective workaround is to remove Tesla.Middleware.FollowRedirects from the middleware stack and handle redirects manually with explicit per-hop header control - the trade-off is that any client relying on automatic redirect following will break and must be refactored. As a less invasive interim mitigation, normalize all sensitive header keys to lowercase at the call site (e.g., {"authorization", "Bearer …"} instead of {"Authorization", …}), which matches the legacy filter list; the trade-off is that this only covers Authorization and Host (not Cookie, Proxy-Authorization, Referer, Origin, which the patched version also strips) and is easy to regress when new call sites are added. Restricting outbound HTTP to an allowlist of known hosts at the egress proxy layer also limits where leaked credentials can be sent, at the cost of operational overhead for legitimate third-party integrations.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

EUVD-2026-34014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy