CVE-2026-48595 - Vulnerability Details

Vendors	Products
Elixir-tesla	Tesla

Link	Providers
https://cna.erlef.org/cves/CVE-2026-48595.html
https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182
https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m
https://osv.dev/vulnerability/EEF-CVE-2026-48595

Type	Values Removed	Values Added
Description		Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request. This issue affects tesla: from 1.4.0 before 1.18.3.
Title		Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
First Time appeared		Elixir-tesla Elixir-tesla tesla
Weaknesses		CWE-178
CPEs		cpe:2.3:a:elixir-tesla:tesla::::::::
Vendors & Products		Elixir-tesla Elixir-tesla tesla
References		https://cna.erlef.org/cves/CVE-2026-48595.html https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182 https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m https://osv.dev/vulnerability/EEF-CVE-2026-48595
Metrics		cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48595", "assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "state": "PUBLISHED", "assignerShortName": "EEF", "dateReserved": "2026-05-22T09:36:56.834Z", "datePublished": "2026-06-02T19:08:48.339Z", "dateUpdated": "2026-06-02T19:12:24.989Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.hex.pm", "cpes": ["cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.Tesla.Middleware.FollowRedirects'"], "packageName": "tesla", "packageURL": "pkg:hex/tesla", "product": "tesla", "programFiles": ["lib/tesla/middleware/follow_redirects.ex"], "programRoutines": [{"name": "'Elixir.Tesla.Middleware.FollowRedirects':call/3"}], "repo": "https://github.com/elixir-tesla/tesla", "vendor": "elixir-tesla", "versions": [{"lessThan": "1.18.3", "status": "affected", "version": "1.4.0", "versionType": "semver"}]}, {"collectionURL": "https://github.com", "cpes": ["cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "modules": ["'Elixir.Tesla.Middleware.FollowRedirects'"], "packageName": "elixir-tesla/tesla", "packageURL": "pkg:github/elixir-tesla/tesla", "product": "tesla", "programFiles": ["lib/tesla/middleware/follow_redirects.ex"], "programRoutines": [{"name": "'Elixir.Tesla.Middleware.FollowRedirects':call/3"}], "repo": "https://github.com/elixir-tesla/tesla.git", "vendor": "elixir-tesla", "versions": [{"lessThan": "db963dba67651b9abd1fc420a1d9679cf6efe182", "status": "affected", "version": "2d937d5813d7cda5cd726f41824985fb655c920f", "versionType": "git"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The application must include <tt>Tesla.Middleware.FollowRedirects</tt> in its Tesla middleware pipeline."}], "value": "The application must include Tesla.Middleware.FollowRedirects in its Tesla middleware pipeline."}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.18.3", "versionStartIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Ullrich"}, {"lang": "en", "type": "remediation developer", "value": "Yordis Prieto"}, {"lang": "en", "type": "analyst", "value": "Jonatan M\u00e4nnchen"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.<p><tt>Tesla.Middleware.FollowRedirects</tt> strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (<tt>@filter_headers [\"authorization\", \"host\"]</tt>). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as <tt>{\"Authorization\", \"Bearer \u2026\"}</tt> (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a <tt>Location:</tt> response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other <tt>Authorization</tt> material on the cross-origin request.</p><p>This issue affects tesla: from 1.4.0 before 1.18.3.</p>"}], "value": "Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.\n\nTesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers [\"authorization\", \"host\"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {\"Authorization\", \"Bearer \u2026\"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.\n\nThis issue affects tesla: from 1.4.0 before 1.18.3."}], "impacts": [{"capecId": "CAPEC-267", "descriptions": [{"lang": "en", "value": "CAPEC-267 Leverage Alternate Encoding"}]}], "metrics": [{"cvssV4_0": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.2, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-178", "description": "CWE-178 Improper Handling of Case Sensitivity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "shortName": "EEF", "dateUpdated": "2026-06-02T19:12:24.989Z"}, "references": [{"tags": ["vendor-advisory", "related"], "url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m"}, {"tags": ["related"], "url": "https://cna.erlef.org/cves/CVE-2026-48595.html"}, {"tags": ["related"], "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48595"}, {"tags": ["patch"], "url": "https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182"}], "source": {"discovery": "EXTERNAL"}, "title": "Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Normalize all header keys to lowercase before passing them to Tesla. Use <tt>\"authorization\"</tt> instead of <tt>\"Authorization\"</tt> when setting headers via <tt>Tesla.put_header/3</tt> or <tt>Tesla.Middleware.Headers</tt>."}], "value": "Normalize all header keys to lowercase before passing them to Tesla. Use \"authorization\" instead of \"Authorization\" when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers."}], "x_generator": {"engine": "cvelib 1.8.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects.\n\nTesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers [\"authorization\", \"host\"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {\"Authorization\", \"Bearer \u2026\"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request.\n\nThis issue affects tesla: from 1.4.0 before 1.18.3."}], "id": "CVE-2026-48595", "lastModified": "2026-06-02T20:16:38.390", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}, "published": "2026-06-02T20:16:38.390", "references": [{"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://cna.erlef.org/cves/CVE-2026-48595.html"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m"}, {"source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48595"}], "sourceIdentifier": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-178"}], "source": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object