CVE-2026-48856: Erlang OTP Information Disclosure Flaw

CVE-2026-48856 Overview

CVE-2026-48856 is a sensitive data exposure flaw in the Erlang/OTP inets application, specifically in the httpc_response module. The httpc client forwards Authorization and Proxy-Authorization headers to redirect targets without verifying whether the redirect crosses an origin boundary. Because autoredirect defaults to true, every caller that does not explicitly disable automatic redirects is exposed. An attacker controlling a server contacted by httpc can issue a cross-origin 3xx redirect to a host they also control and harvest the forwarded credentials. The issue is classified under CWE-601 (URL Redirection to Untrusted Site).

Critical Impact

Cross-origin HTTP redirects leak Authorization and Proxy-Authorization headers, including Basic credentials derived from URL userinfo, enabling credential theft against any Erlang/OTP service that uses httpc with default settings.

Affected Products

• Erlang/OTP 17.0 through versions before 29.0.2
• Erlang/OTP 28.5.0.2 and 27.3.4.13 (corresponding patch lines)
• inets 5.10 through versions before 9.7.1, 9.6.2.2, and 9.3.2.6

Discovery Timeline

• 2026-06-10 - CVE CVE-2026-48856 published to NVD
• 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-48856

Vulnerability Analysis

The defect lives in lib/inets/src/http_client/httpc_response.erl, in the httpc_response:redirect/2 function. When the client receives a 3xx response, it constructs a new request by updating only the host field of the #http_request_h{} header record. All other header fields, including authorization and proxy_authorization, are copied verbatim into the redirected request.

The redirected request is then dispatched to the target indicated by the Location header without comparing that target's host or port against the original request's origin. RFC 9110 §15.4 explicitly requires user agents to strip credentials on cross-origin redirects, and httpc did not enforce that requirement.

This behavior affects any Erlang application that calls httpc:request/1,2,3,4,5 against an attacker-influenced URL, including pipelines that fetch metadata, webhooks, package mirrors, or third-party APIs. Credentials supplied via userinfo in the URL are converted to Basic Authorization by httpc_request:handle_user_info/2 and inherit the same flaw.

Root Cause

The root cause is missing origin comparison during redirect handling. redirect/2 builds the new request from the prior #request{} record, mutating only the host field on the headers record. Because autoredirect defaults to true, callers that rely on defaults silently follow redirects across origins while retaining sensitive headers.

Attack Vector

An attacker who controls or compromises any HTTP endpoint a victim queries with httpc returns a 3xx response with a Location pointing to attacker-controlled infrastructure. The follow-up request carries the original Authorization and Proxy-Authorization values, allowing the attacker to capture credentials, replay them, or pivot into the resource they protect.

                     NewURI = uri_string:normalize(
                                uri_string:recompose(URIMap)),
                     HostPort = http_request:normalize_host(TScheme, THost, TPort),
-                    NewHeaders =
+                    NewHeaders0 =
                         (Request#request.headers)#http_request_h{host = HostPort},
+                    %% RFC 9110 §15.4: strip Authorization, Proxy-Authorization,
+                    %% Cookie, Origin, and Referer on cross-origin redirects
+                    %% (different host or port).
+                    NewHeaders =
+                        case Request#request.address of
+                            {THost, TPort} ->
+                                NewHeaders0;
+                            _ ->
+                                CrossOriginOther = ["cookie", "origin"],
+                                OtherStripped = lists:filter(
+                                    fun({K, _}) ->
+                                        not lists:member(string:lowercase(K), CrossOriginOther)
+                                    end,
+                                    NewHeaders0#http_request_h.other),
+                                NewHeaders0#http_request_h{
+                                    authorization = undefined,
+                                    'proxy-authorization' = undefined,
+                                    referer = undefined,
+                                    other = OtherStripped}
+                        end,
                     NewRequest =
                         Request#request{redircount =
                                             Request#request.redircount+1,

Source: GitHub OTP Commit 688d748 — the fix compares the redirect target host and port to the original Request#request.address and strips authorization, proxy-authorization, referer, cookie, and origin headers when the origin changes.

Detection Methods for CVE-2026-48856

Indicators of Compromise

• Outbound HTTP 3xx responses originating from external services whose Location header points to a host distinct from the requested host.
• Successive httpc requests in network telemetry showing identical Authorization headers sent to two different destination hosts within the same TCP session window.
• Authentication events on protected APIs sourced from IP addresses not associated with the Erlang application's normal egress range.

Detection Strategies

• Inventory all Erlang/OTP deployments and confirm inets version against the fixed releases (9.7.1, 9.6.2.2, 9.3.2.6).
• Audit application code for httpc:request/* calls that pass URLs containing userinfo or that set the Authorization header without disabling autoredirect.
• Inspect egress proxy logs for redirect chains crossing host boundaries while carrying Authorization headers.

Monitoring Recommendations

• Forward outbound HTTP proxy and TLS metadata logs to a centralized analytics platform and alert on cross-origin redirects that preserve authentication headers.
• Rotate any static API tokens or Basic credentials that may have been used by httpc callers prior to patching.
• Monitor identity providers for anomalous use of service-account credentials issued to Erlang-based backends.

How to Mitigate CVE-2026-48856

Immediate Actions Required

• Upgrade Erlang/OTP to 29.0.2, 28.5.0.2, or 27.3.4.13, which contain inets versions 9.7.1, 9.6.2.2, or 9.3.2.6 respectively.
• For deployments that cannot upgrade immediately, disable automatic redirects by passing {autoredirect, false} to httpc:request/4 and handle 3xx responses explicitly.
• Rotate credentials that may have been transmitted through httpc to untrusted endpoints since the affected versions were deployed.

Patch Information

The fix is committed in lib/inets/src/http_client/httpc_response.erl and compares the redirect target against Request#request.address. When the host or port differs, authorization, proxy-authorization, referer, cookie, and origin headers are cleared before the new request is dispatched. See the GitHub Security Advisory GHSA-m75x-4vwg-ggjh and the CNA CVE-2026-48856 Record for full release details.

Workarounds

• Set {autoredirect, false} in every httpc:request/4 call and validate the Location host against an allowlist before re-issuing the request.
• Avoid embedding credentials in URLs passed to httpc; pass Authorization headers only after the final destination is verified.
• Route Erlang HTTP traffic through an egress proxy configured to strip Authorization and Proxy-Authorization headers on redirects to hosts outside an approved list.

# Verify installed Erlang/OTP and inets versions
erl -noshell -eval 'io:format("OTP ~s~n", [erlang:system_info(otp_release)]), {ok, Vsn} = application:get_key(inets, vsn), io:format("inets ~s~n", [Vsn]), halt().'

# Example: disable automatic redirects in application code
# httpc:request(get, {Url, Headers}, [], [{autoredirect, false}]).