CVE-2026-47070: CWE-601 URL Redirection to Untrusted Site ('Open Redirect') in benoitc hackney
Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin. The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely. This issue affects hackney: from 3.1.1 before 4.0.1.
AI Analysis
Technical Summary
The vulnerability CVE-2026-47070 in benoitc hackney involves the HTTP/3 redirect handler forwarding original request headers unchanged to redirect targets without cross-origin checks. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a 3xx redirect to a different host causes these credentials to be sent verbatim to the new origin. The main hackney module has a mechanism (maybe_strip_auth_on_redirect/2) guarded by a location_trusted option to mitigate a similar issue (CVE-2018-1000007), but this protection is missing in the hackney_h3.erl module. This affects versions from 3.1.1 before 4.0.1.
Potential Impact
Sensitive credentials such as Authorization and Cookie headers can be leaked to untrusted redirect targets during HTTP/3 redirects, potentially exposing sensitive data to malicious sites. This could lead to unauthorized access or data exposure if an attacker controls or intercepts the redirect destination. The CVSS score of 6 indicates a medium severity impact with network attack vector, low attack complexity, and partial user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling HTTP/3 redirects or the follow_redirect option when using hackney with HTTP/3 to prevent automatic forwarding of sensitive headers to untrusted origins. Monitoring vendor updates for a patch or official mitigation is recommended.
CVE-2026-47070: CWE-601 URL Redirection to Untrusted Site ('Open Redirect') in benoitc hackney
Description
Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin. The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely. This issue affects hackney: from 3.1.1 before 4.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-47070 in benoitc hackney involves the HTTP/3 redirect handler forwarding original request headers unchanged to redirect targets without cross-origin checks. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a 3xx redirect to a different host causes these credentials to be sent verbatim to the new origin. The main hackney module has a mechanism (maybe_strip_auth_on_redirect/2) guarded by a location_trusted option to mitigate a similar issue (CVE-2018-1000007), but this protection is missing in the hackney_h3.erl module. This affects versions from 3.1.1 before 4.0.1.
Potential Impact
Sensitive credentials such as Authorization and Cookie headers can be leaked to untrusted redirect targets during HTTP/3 redirects, potentially exposing sensitive data to malicious sites. This could lead to unauthorized access or data exposure if an attacker controls or intercepts the redirect destination. The CVSS score of 6 indicates a medium severity impact with network attack vector, low attack complexity, and partial user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling HTTP/3 redirects or the follow_redirect option when using hackney with HTTP/3 to prevent automatic forwarding of sensitive headers to untrusted origins. Monitoring vendor updates for a patch or official mitigation is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-18T17:28:08.322Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a149bd3a5ae1af1aad7731b
Added to database: 5/25/2026, 6:58:27 PM
Last enriched: 5/25/2026, 6:58:55 PM
Last updated: 5/26/2026, 7:54:31 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.