{"uuid": "80d2327d-377f-461b-85ac-b6917b7aea7b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-48595", "type": "seen", "source": "https://gist.github.com/alon710/34fe998f34bdbbf866bd428a21589671", "content": "# CVE-2026-48595: CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass\n\n&gt; **CVSS Score:** 8.2\n&gt; **Published:** 2026-07-10\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-48595\n\n## Summary\nA high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.\n\n## TL;DR\nCase-sensitive header filtering in Tesla's FollowRedirects middleware fails to strip credentials like 'Authorization' during cross-origin redirects if they contain uppercase characters, leading to token leakage to untrusted hosts.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-178\n- **Attack Vector**: Network (Remote)\n- **CVSS v4 Score**: 8.2 (High)\n- **EPSS Score**: 0.00396 (0.40%)\n- **Exploit Status**: Proof of Concept (PoC) Publicly Available\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Elixir systems integrating the elixir-tesla/tesla library with active follow-redirect modules.\n- **tesla**: &gt;= 1.4.0, &lt; 1.18.3 (Fixed in: `1.18.3`)\n\n## Mitigation\n\n- Upgrade the elixir-tesla/tesla dependency to version 1.18.3 or greater.\n- Normalize all outgoing HTTP header keys to lowercase at the application layer prior to dispatching requests.\n- Sanitize client-provided redirection inputs to avoid cross-origin redirection routes.\n\n**Remediation Steps:**\n1. Open your project's mix.exs configuration file.\n2. Locate the {:tesla, ...} dependency definition.\n3. Modify the version constraint to requiring '~&gt; 1.18.3' or greater.\n4. Execute 'mix deps.get' in your shell to fetch the updated packages.\n5. Rebuild and run tests to ensure no regression occurs.\n\n## References\n\n- [GitHub Security Advisory - GHSA-9m9w-gxf7-rh8m](https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m)\n- [CNA EEF Advisory Record](https://cna.erlef.org/cves/CVE-2026-48595.html)\n- [OSV Entry](https://osv.dev/vulnerability/EEF-CVE-2026-48595)\n- [CVE.org Record Database](https://www.cve.org/CVERecord?id=CVE-2026-48595)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-48595) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T01:41:47.998773Z"}