DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48595: CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

Vulnerability ID: CVE-2026-48595
CVSS Score: 8.2
Published: 2026-07-10

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

TL;DR

Case-sensitive header filtering in Tesla's FollowRedirects middleware fails to strip credentials like 'Authorization' during cross-origin redirects if they contain uppercase characters, leading to token leakage to untrusted hosts.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-178
  • Attack Vector: Network (Remote)
  • CVSS v4 Score: 8.2 (High)
  • EPSS Score: 0.00396 (0.40%)
  • Exploit Status: Proof of Concept (PoC) Publicly Available
  • CISA KEV Status: Not Listed

Affected Systems

  • Elixir systems integrating the elixir-tesla/tesla library with active follow-redirect modules.
  • tesla: >= 1.4.0, < 1.18.3 (Fixed in: 1.18.3)

Code Analysis

Commit: db963db

Hardens header filtering on redirect by introducing proper case normalization and aligning with RFC 9110 expectations.

Exploit Details

  • GitHub: Proof of Concept validation environment for reproducing the case-sensitivity bypass in elixir-tesla.

Mitigation Strategies

  • Upgrade the elixir-tesla/tesla dependency to version 1.18.3 or greater.
  • Normalize all outgoing HTTP header keys to lowercase at the application layer prior to dispatching requests.
  • Sanitize client-provided redirection inputs to avoid cross-origin redirection routes.

Remediation Steps:

  1. Open your project's mix.exs configuration file.
  2. Locate the {:tesla, ...} dependency definition.
  3. Modify the version constraint to requiring '~> 1.18.3' or greater.
  4. Execute 'mix deps.get' in your shell to fetch the updated packages.
  5. Rebuild and run tests to ensure no regression occurs.

References


Read the full report for CVE-2026-48595 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)