EUVD-2026-36058CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data.
The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host.
autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects.
An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header.
This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl.
This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
AnalysisAI
Credential leakage in Erlang/OTP's inets httpc client (versions 17.0 through 29.0.2, 28.5.0.2, and 27.3.4.13) allows attacker-controlled servers to harvest Authorization and Proxy-Authorization headers by issuing cross-origin 3xx redirects. Because httpc_response:redirect/2 only updates the host field and copies all other headers verbatim - and autoredirect defaults to true - any httpc caller using HTTP Basic auth or URL userinfo silently forwards credentials to the redirect target. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the victim application to (1) use Erlang/OTP inets httpc to make an outbound HTTP request, (2) leave autoredirect at its default value of true, (3) include an Authorization or Proxy-Authorization header on that request - either set explicitly or derived from URL userinfo by httpc_request:handle_user_info/2, and (4) contact a server the attacker controls or can influence (e.g., user-supplied URL, compromised upstream, DNS rebinding, or webhook target). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N gives 7.1 - network-reachable, low complexity, no privileges, but Passive user interaction required (the victim application must initiate the httpc request). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a webhook, OAuth callback, or any user-supplied URL on a victim Erlang/Elixir service that fetches external resources via httpc with HTTP Basic credentials (often inherited from configured API integrations or URL userinfo). When the service issues the httpc GET, the attacker's server responds with a 301/302 redirect to a second host the attacker controls; httpc transparently follows the redirect and replays the Authorization (and Proxy-Authorization) header to the attacker's collection endpoint. … |
| Remediation | Vendor-released patch: upgrade to OTP 29.0.2, 28.5.0.2, or 27.3.4.13 (or equivalently inets 9.7.1, 9.6.2.2, or 9.3.2.6) per the GHSA-m75x-4vwg-ggjh advisory and commit 688d748d6f7a6a06b13b662a1d3de8af97079612. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all applications using Erlang/OTP versions 17.0-29.0.2, 28.5.0.2, and 27.3.4.13. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Open redirect in Spring Security's cookie-based saved-request components allows remote unauthenticated attackers to redi
Open redirect in hs-web hsweb-framework's OAuth2Client component (versions up to 5.0.1) allows remote unauthenticated at
Spring Authorization Server's authorization endpoint fails to adequately validate the OAuth2/OIDC `request_uri` paramete
Host header injection in HCL Digital Experience and HCL Digital Experience Compose enables unauthenticated remote attack
Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary a
Share
External POC / Exploit Code
Leaving vuln.today