CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass
Vulnerability ID: CVE-2026-48595
CVSS Score: 8.2
Published: 2026-07-10
A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.
TL;DR
Case-sensitive header filtering in Tesla's FollowRedirects middleware fails to strip credentials like 'Authorization' during cross-origin redirects if they contain uppercase characters, leading to token leakage to untrusted hosts.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-178
- Attack Vector: Network (Remote)
- CVSS v4 Score: 8.2 (High)
- EPSS Score: 0.00396 (0.40%)
- Exploit Status: Proof of Concept (PoC) Publicly Available
- CISA KEV Status: Not Listed
Affected Systems
- Elixir systems integrating the elixir-tesla/tesla library with active follow-redirect modules.
-
tesla: >= 1.4.0, < 1.18.3 (Fixed in:
1.18.3)
Code Analysis
Commit: db963db
Hardens header filtering on redirect by introducing proper case normalization and aligning with RFC 9110 expectations.
Exploit Details
- GitHub: Proof of Concept validation environment for reproducing the case-sensitivity bypass in elixir-tesla.
Mitigation Strategies
- Upgrade the elixir-tesla/tesla dependency to version 1.18.3 or greater.
- Normalize all outgoing HTTP header keys to lowercase at the application layer prior to dispatching requests.
- Sanitize client-provided redirection inputs to avoid cross-origin redirection routes.
Remediation Steps:
- Open your project's mix.exs configuration file.
- Locate the {:tesla, ...} dependency definition.
- Modify the version constraint to requiring '~> 1.18.3' or greater.
- Execute 'mix deps.get' in your shell to fetch the updated packages.
- Rebuild and run tests to ensure no regression occurs.
References
- GitHub Security Advisory - GHSA-9m9w-gxf7-rh8m
- CNA EEF Advisory Record
- OSV Entry
- CVE.org Record Database
Read the full report for CVE-2026-48595 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)