DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48861: CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

Vulnerability ID: CVE-2026-48861
CVSS Score: 2.1
Published: 2026-07-09

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

TL;DR

A CRLF injection vulnerability in Elixir Mint (CVE-2026-48861) allows attackers to perform HTTP Request Splitting and Smuggling by passing control characters in the unvalidated HTTP method parameter.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-93 (Improper Neutralization of CRLF Sequences)
  • Attack Vector: Network / Client-Side forwarding
  • CVSS Score: 2.1 (Low Severity)
  • EPSS Score: 0.00166 (0.17% probability)
  • Impact: HTTP Request Splitting / HTTP Request Smuggling
  • Exploit Status: Proof-of-Concept (PoC)
  • KEV Status: Not Listed

Affected Systems

  • Elixir Mint library versions 0.1.0 through 1.8.1
  • Elixir applications utilizing dynamic, user-controlled HTTP methods with Mint
  • mint: >= 0.1.0, < 1.9.0 (Fixed in: 1.9.0)

Code Analysis

Commit: fad0914

Introduce token validation for the HTTP method in the request line to prevent CRLF injection

@@ -7,6 +7,7 @@ def encode(method, target, headers, body) do
+   validate_method!(method)
+
    body = [
      encode_request_line(method, target),
      encode_headers(headers),
@@ -34,6 +35,14 @@ defp validate_method!(method) do
+    _ =
+      for <<char <- method>> do
+        unless is_tchar(char) do
+          throw({:mint, {:invalid_request_method, method}})
+        end
+      end
+
+    :ok
+  end
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade the Mint dependency to version 1.9.0 or higher to enforce token validation at the library level
  • Implement strict, application-level whitelisting for all dynamic HTTP method inputs before they are passed to Mint
  • Employ static application security testing (SAST) tools to audit dependencies and identify vulnerable packages

Remediation Steps:

  1. Open the mix.exs configuration file in the affected Elixir project
  2. Locate the mint dependency entry and update the version requirement to {:mint, "~> 1.9"}
  3. Execute the mix deps.get command in the project directory to retrieve the updated package
  4. Run mix deps.compile mint to ensure the patched version compiles correctly in the local environment
  5. Deploy the updated application to production environments and monitor application logs for invalid request method exceptions

References


Read the full report for CVE-2026-48861 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)