Home

Description

Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin. The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely. This issue affects hackney: from 3.1.1 before 4.0.1.

PUBLISHED Reserved 2026-05-18 | Published 2026-05-25 | Updated 2026-05-27 | Assigner EEF




MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Product status

Default status
unaffected

3.1.1 (semver) before 4.0.1
affected

Default status
unaffected

e61b7d04b7826847e1efe614106ef4d580c78eab (git) before c58d5b50bade146360b85caf3dc8065807b08246
affected

Credits

Peter Ullrich finder

Benoit Chesneau remediation developer

Jonatan Männchen / EEF analyst

References

github.com/...ackney/security/advisories/GHSA-h73q-4w9q-82h4 exploit

github.com/...ackney/security/advisories/GHSA-h73q-4w9q-82h4 vendor-advisory related

cna.erlef.org/cves/CVE-2026-47070.html related

osv.dev/vulnerability/EEF-CVE-2026-47070 related

github.com/...ommit/c58d5b50bade146360b85caf3dc8065807b08246 patch

cve.org (CVE-2026-47070)

nvd.nist.gov (CVE-2026-47070)

Download JSON