CVE-2026-48856

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 29.0.1 Erlang OTP version 28.5.0.1 Erlang OTP version 27.3.4.12

Description Sensitive data exposure occurs in the httpc response module of the inets library. The httpc client forwards Authorization and Proxy-Authorization request headers to redirect targets without verifying if the redirect crosses an origin boundary. Specifically, the redirect/2 function constructs the redirected request by updating only the host field of the header record, copying all other fields verbatim. Since autoredirect is enabled by default, this affects all callers that do not explicitly disable automatic redirects. An attacker controlling a server can issue a cross-origin 3xx redirect to a server they also control, causing the Authorization header (including Basic credentials derived from URL userinfo via the handle user info/2 function) and the Proxy-Authorization header to be forwarded, leading to credential theft.

Recommendations Update Erlang OTP to version 29.0.2, 28.5.0.2, or 27.3.4.13. Set {autoredirect, false} in the httpc:request/4 options and handle redirects manually, stripping the Authorization header when the redirect crosses an origin boundary. Ensure that httpc is only used to contact trusted servers that will not issue cross-origin redirects.