Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-47070— HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney

AI Predicted 5.9 Difficulty: Easy EPSS 0.04% · P13

Possible ATT&CK Techniques 1AI

T1530 · Data from Cloud Storage

Affected Version Matrix 2

VendorProductVersion RangeStatus
benoitchackney3.1.1< 4.0.1affected
e61b7d04b7826847e1efe614106ef4d580c78eab< c58d5b50bade146360b85caf3dc8065807b08246affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-47070

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
HTTP/3 redirect handler leaks Authorization and Cookie headers to cross-origin redirect target in hackney
Source: NVD (National Vulnerability Database)
Vulnerability Description
Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin. The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely. This issue affects hackney: from 3.1.1 before 4.0.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
benoitchackney 3.1.1 ~ 4.0.1 cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*
benoitchackney e61b7d04b7826847e1efe614106ef4d580c78eab ~ c58d5b50bade146360b85caf3dc8065807b08246 cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*

II. Public POCs for CVE-2026-47070

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-47070

登录查看更多情报信息。

Patches & Fixes for CVE-2026-47070 (1)

Vendor Advisories for CVE-2026-47070 (3)

Same Patch Batch · benoitc · 2026-05-25 · 10 CVEs total

CVE-2026-47069CRLF injection in cookie domain/path options in hackney
CVE-2026-47076SSRF allowlist bypass via percent-encoded host in hackney
CVE-2026-47073Unbounded memory consumption in WebSocket client in hackney
CVE-2026-47075CR/LF injection in query parameter in hackney
CVE-2026-47072CRLF injection in WebSocket upgrade request in hackney
CVE-2026-47077Unbounded body accumulation in HTTP/3 response loop in hackney
CVE-2026-47067Atom table exhaustion via unrecognized URL schemes in hackney
CVE-2026-47071SOCKS5 TLS upgrade ignores caller timeout in hackney
CVE-2026-47066Infinite loop in Alt-Svc header parser in hackney

IV. Related Vulnerabilities

Same product: hackney
Same vendor: benoitc
Same weakness: CWE-601

V. Comments for CVE-2026-47070

No comments yet

Leave a comment