Listen to this Post
How the vulnerability works (technical details)
CVE-2026-47070 is a sensitive data exposure flaw in the hackney HTTP client for Erlang/Elixir, specific to its HTTP/3 implementation. The core issue lies in the HTTP/3 redirect handler within src/hackney_h3.erl. This handler is responsible for processing 3xx redirect responses (e.g., 301, 302, 307, 308). When a client makes an HTTP/3 request with the `follow_redirect` option enabled, the vulnerable code path does not perform any cross-origin check before forwarding the original request’s headers to the redirect target.
Specifically, the functions `hackney_h3:handle_redirect/11` and `hackney_h3:do_request_with_redirect/8` construct the redirected request by copying the entire header map from the initial request and sending it to the new `Location` provided by the server. This includes security-critical headers such as `Authorization` and Cookie. As a result, if a client using hackney connects to a malicious or compromised HTTP/3 server, that server can respond with a 3xx redirect pointing to a third-party domain under its control. The client will then blindly forward the `Authorization` token and any session cookies to this untrusted origin, effectively leaking them.
This vulnerability is a direct consequence of an incomplete fix for a previous flaw (CVE-2018-1000007). The prior remediation added a function, maybe_strip_auth_on_redirect/2, to the main `hackney.erl` module, which conditionally removes sensitive headers when the `location_trusted` option is not set. However, this protection logic was not ported to the separate HTTP/3 handler module, leaving it vulnerable. The affected versions are hackney from 3.1.1 up to, but not including, 4.0.1. The vulnerability is assigned a CVSS v4.0 base score of 6.0 (MEDIUM) with the vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N.
DailyCVE form
Platform: benoitc hackney
Version: 3.1.1 before 4.0.1
Vulnerability: Sensitive Data Exposure
Severity: MEDIUM
date: 2026-05-25
Prediction: Patch expected 2026-06-15
What Undercode Say:
Analytics
Monitor for unexpected cross-origin redirects leading to external domains. The following command (using jq) can be used to inspect application logs for outbound HTTP/3 requests containing `Authorization` or `Cookie` headers that were subsequently redirected to a different origin:
Example: Monitor for suspicious redirect chains in proxy logs
grep -E 'HTTP/3.3[0-9]{2}' /var/log/proxy/access.log | \
jq 'select(.headers.Authorization != null or .headers.Cookie != null) | {src: .client_ip, dst: .upstream_addr, redirect_to: .headers.Location}'
Exploit
An attacker controls an HTTP/3 server that the hackney client connects to. When the client sends a request with an `Authorization` header (e.g., Bearer: abc123), the server responds with `HTTP/3 302 Found` and a Location: https://attacker.com/callback` header. The client, using the vulnerable `hackney_h3` module, immediately performs a GET request tohttps://attacker.com/callback`, including the full `Authorization: Bearer abc123` header. The attacker then captures this token.
Protection from this CVE
- Immediate: Upgrade to hackney version 4.0.1 or later. If immediate upgrade is not possible, avoid setting `follow_redirect` to `true` for HTTP/3 requests.
- Configuration: If using a custom build, manually port the `maybe_strip_auth_on_redirect/2` logic to the `hackney_h3` module.
- Mitigation: As a temporary workaround, implement a custom redirect handler that sanitizes headers before following redirects.
Impact
Successful exploitation leads to unauthorized credential leakage. An attacker can hijack user sessions, access protected APIs, and perform actions with the victim’s privileges. This can result in account takeover, data theft, and privilege escalation depending on the scope of the leaked tokens.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

