CVE-2026-48856: CWE-601 URL Redirection to Untrusted Site ('Open Redirect') in Erlang OTP
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
AI Analysis
Technical Summary
The vulnerability in Erlang OTP's inets httpc_response module arises because the httpc client forwards Authorization and Proxy-Authorization headers to redirect targets without checking if the redirect crosses an origin boundary. Specifically, the function httpc_response:redirect/2 updates only the host field in the header record, copying all other fields verbatim, including sensitive authorization headers. Since autoredirect defaults to true, any httpc caller not disabling automatic redirects is affected. An attacker controlling a server contacted by the victim can issue a cross-origin 3xx redirect to a malicious server, causing credential theft via forwarded Authorization headers. This affects OTP versions from 17.0 before 29.0.2, 28.5.0.2, and 27.3.4.13, and corresponding inets versions from 5.10 before 9.7.1, 9.6.2.2, and 9.3.2.6.
Potential Impact
An attacker who controls a server that a vulnerable httpc client contacts can cause the client to send sensitive Authorization and Proxy-Authorization headers to a malicious redirect target. This can lead to credential theft, exposing sensitive data embedded in these headers. The vulnerability affects all clients using automatic redirects (enabled by default), increasing the risk of unauthorized disclosure of credentials.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling automatic redirects in the httpc client to prevent forwarding authorization headers to untrusted redirect targets.
CVE-2026-48856: CWE-601 URL Redirection to Untrusted Site ('Open Redirect') in Erlang OTP
Description
Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6.
CVSS v4.0
Score 7.1high
Affected software
pkg:github/erlang/otpcpe:2.3:a:erlang:erlang\/otp:*:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Erlang OTP's inets httpc_response module arises because the httpc client forwards Authorization and Proxy-Authorization headers to redirect targets without checking if the redirect crosses an origin boundary. Specifically, the function httpc_response:redirect/2 updates only the host field in the header record, copying all other fields verbatim, including sensitive authorization headers. Since autoredirect defaults to true, any httpc caller not disabling automatic redirects is affected. An attacker controlling a server contacted by the victim can issue a cross-origin 3xx redirect to a malicious server, causing credential theft via forwarded Authorization headers. This affects OTP versions from 17.0 before 29.0.2, 28.5.0.2, and 27.3.4.13, and corresponding inets versions from 5.10 before 9.7.1, 9.6.2.2, and 9.3.2.6.
Potential Impact
An attacker who controls a server that a vulnerable httpc client contacts can cause the client to send sensitive Authorization and Proxy-Authorization headers to a malicious redirect target. This can lead to credential theft, exposing sensitive data embedded in these headers. The vulnerability affects all clients using automatic redirects (enabled by default), increasing the risk of unauthorized disclosure of credentials.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider disabling automatic redirects in the httpc client to prevent forwarding authorization headers to untrusted redirect targets.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- EEF
- Date Reserved
- 2026-05-25T20:44:10.697Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a298ad7c9170919df367433
Added to database: 6/10/2026, 4:03:35 PM
Last enriched: 6/10/2026, 4:18:44 PM
Last updated: 6/10/2026, 5:51:03 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.