Skip to main content

elixir-plug EUVDEUVD-2026-42876

| CVE-2026-56813 LOW
Improper Neutralization of Parameter/Argument Delimiters (CWE-141)
2026-07-10 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
2.1
CVSS 4.0 · Vendor: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

Severity by source

Vendor (6b3ad84c-e1a6-4bf7-a703-f496b71e49db) PRIMARY
2.1 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.7 MEDIUM

Network vector for HTTP-based attack; AC:H for prerequisite of reflecting user data into cookies; S:C for cross-browser cookie security impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (6b3ad84c-e1a6-4bf7-a703-f496b71e49db).

CVSS VectorVendor: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 14:01 EUVD
Analysis Generated
Jul 10, 2026 - 13:34 vuln.today

DescriptionCVE.org

Improper Neutralization of Parameter/Argument Delimiters vulnerability in elixir-plug plug allows an attacker to inject or override HTTP cookie attributes.

The Plug.Conn.Cookies.encode/2 function in lib/plug/conn/cookies.ex builds the Set-Cookie response header by interpolating the cookie value and its path, domain, same_site, and extra attributes directly into the header without neutralizing the ';' delimiter that separates cookie attributes.

An application that places attacker-controlled data into a cookie value or attribute (for example via Plug.Conn.put_resp_cookie/4 when reflecting a username or preference) lets an attacker inject a ';' to append or override cookie attributes (such as Domain and Path scope, or dropping the Secure and HttpOnly flags), enabling cookie tossing and session fixation. Carriage return, line feed, and null bytes are rejected by Plug.Conn header validation, so HTTP response splitting is not possible, but attribute injection through ';' is not prevented.

This issue affects plug: from 0.1.0 before 1.16.6, from 1.17.0 before 1.17.4, from 1.18.0 before 1.18.5, from 1.19.0 before 1.19.5, from 1.20.0 before 1.20.3.

AnalysisAI

Cookie attribute injection in elixir-plug's Plug library allows a remote attacker who can supply values reflected into Set-Cookie headers to inject the ; delimiter and override attributes such as Domain, Path, Secure, and HttpOnly. Applications calling Plug.Conn.put_resp_cookie/4 with user-controlled data - for example, reflecting a username or preference value - are exposed to session fixation and cookie tossing across five supported release lines (0.1.0 through 1.20.2). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker submits HTTP request with `;`-injected payload in user-controlled field
Delivery
Application passes payload to `put_resp_cookie/4` without sanitization
Exploit
`Cookies.encode/2` interpolates `;` into Set-Cookie header unescaped
Execution
Browser parses injected cookie attributes as legitimate
Persist
Cookie domain or path scope widened or Secure/HttpOnly flags stripped
Impact
Session fixation or cross-domain cookie tossing achieved

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application passes attacker-influenced data - such as a user-supplied username, locale preference, redirect path, or any other externally sourced value - directly into the value or optional attribute parameters (path, domain, same_site, extra) of `Plug.Conn.put_resp_cookie/4`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CNA-assigned CVSS 4.0 score of 2.1 (AV:L/AC:L/AT:P/PR:N/UI:N) appears to underrepresent network reachability: the practical attack path is HTTP-based, not local system access, suggesting AV:L may reflect conservative scoring of a server-side code-quality issue rather than directly network-exploitable behavior. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers an account with a crafted username such as `alice; Domain=.attacker.com; Secure=false` and triggers an application flow where that value is reflected into a session cookie via `put_resp_cookie`. Because `Cookies.encode/2` interpolates the value without sanitizing `;`, the resulting `Set-Cookie` header includes the injected `Domain` attribute, causing the victim's browser to store the cookie with widened domain scope. …
Remediation Upgrade Plug to the patched release for your active branch: 1.16.6, 1.17.4, 1.18.5, 1.19.5, or 1.20.3, referencing the upstream fix commit at https://github.com/elixir-plug/plug/commit/c6575800b2c4e15af1904df87522ca8a23da020c and the full advisory at https://github.com/elixir-plug/plug/security/advisories/GHSA-wpmj-jh88-rpgm. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy