CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-48861

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 10, 2026·7 min read·3 visits

Executive Summary (TL;DR)

A CRLF injection vulnerability in Elixir Mint (CVE-2026-48861) allows attackers to perform HTTP Request Splitting and Smuggling by passing control characters in the unvalidated HTTP method parameter.

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Vulnerability Overview

The vulnerability is located in Mint, a widely used low-level HTTP client library for the Elixir programming language. The component exposes a client-side attack surface when application code acts as a proxy, webhook forwarder, or API gateway. When such applications accept user-controlled strings to define outbound HTTP connection parameters, they pass the untrusted inputs directly to Mint's internal serialization layers.

In vulnerable versions, Mint fails to validate or neutralize carriage return (CR) and line feed (LF) characters inside the HTTP method parameter. This failure violates RFC 9110 specifications, which mandate that HTTP methods consist only of valid token characters. Consequently, an attacker can submit a crafted HTTP method containing embedded CRLF characters to manipulate the client's output stream.

The resulting injection splits the outbound HTTP stream into multiple distinct requests. From the perspective of downstream proxy servers, reverse proxies, or load balancers, the single TCP connection appears to contain multiple independent pipelined queries. This behavior facilitates a range of attacks including unauthorized lateral movement, server-side request forgery (SSRF), and cache poisoning.

Root Cause Analysis

The root cause of the vulnerability resides in the HTTP/1 request-line compilation logic within Mint. According to the HTTP/1.1 specification, a standard request-line must strictly conform to a defined structure consisting of the method, a single space, the request target, another single space, the protocol version, and a terminating CRLF sequence.

In vulnerable versions of Mint, specifically inside the lib/mint/http1/request.ex module, the encode_request_line/2 function compiles the request-line by directly concatenating the user-supplied method and target parameters into an iolist. This implementation is completed without checking if either variable contains forbidden control characters, spaces, or protocol delimiter bytes.

While Mint 1.7.0 introduced the helper validate_request_target/2 to sanitize target URIs and prevent CRLF injections via the path or query string, the library left the HTTP method parameter completely unvalidated. The developers assumed that applications would only supply static, hardcoded method names like "GET" or "POST" to the client library.

However, when an application dynamically accepts and forwards an HTTP method from an external source, this design assumption fails. Because there is no token validation on the method string, any control sequences inserted by the attacker pass unaltered into the network socket. The receiving server parses these control characters as structural boundaries, altering the intended request structure.

Code Analysis

An analysis of the vulnerable codebase in lib/mint/http1/request.ex reveals the following serialization logic:

defp encode_request_line(method, target) do
  [method, ?\s, target, " HTTP/1.1\r\n"]
end

This implementation directly interpolates the method argument into the character stream. The official patch (fad091454cbb7449b19edb8e1fee12ca7cf28c3a) addresses this weakness by introducing a strict whitelist check on the HTTP method argument before compiling the request-line.

# lib/mint/http1/request.ex
def encode(method, target, headers, body) do
+   validate_method!(method)
+
    body = [
      encode_request_line(method, target),
      encode_headers(headers),

The fix is implemented within the new private function validate_method!/1, which loops through each byte of the method parameter and validates it against the is_tchar/1 macro imported from Mint.HTTP1.Parse:

+  defp validate_method!(method) do
+    _ =
+      for <<char <- method>> do
+        unless is_tchar(char) do
+          throw({:mint, {:invalid_request_method, method}})
+        end
+      end
+
+    :ok
+  end

Because the is_tchar/1 macro restricts allowed bytes to the exact set of token characters permitted by RFC 9110, control characters such as tabs, spaces, carriage returns, and line feeds are rejected. If an illegal byte is encountered, the library throws an exception which is subsequently translated into an invalid request method error. This patch prevents the compilation of malformed request lines and successfully mitigates the CRLF injection vector.

Exploitation & Smuggling Methodology

Exploitation requires an application that acts as an intermediary, receiving input from an untrusted source and forwarding it to Mint without sanitization. An attacker constructs an HTTP request targeting the proxy application, supplying a malicious payload within the parameter mapped to the outbound HTTP method.

An attacker may transmit a payload where the method argument contains the following sequence:

GET / HTTP/1.1\r\nHost: internal-service.local\r\n\r\nGET /admin/delete_user?id=1 HTTP/1.1\r\nHost: internal-service.local\r\nIgnore-Header:

When Mint processes this input, it writes the concatenated byte stream to the connection. The resulting TCP payload is formatted as follows:

GET / HTTP/1.1
Host: internal-service.local
 
GET /admin/delete_user?id=1 HTTP/1.1
Host: internal-service.local
Ignore-Header:  /api/v1/resource HTTP/1.1

Upon receiving this stream, the downstream server parses the first section as a legitimate, benign request. Due to the double CRLF (\r\n\r\n) sequence, the parser treats the subsequent bytes as a second, separate pipelined request. The final, dangling fragment is appended to the smuggled request headers, completing the injection. This technique successfully bypasses security controls that are only applied to the outer request wrapper.

Impact Assessment & Attack Scenarios

The concrete impact of CVE-2026-48861 is determined by the downstream network architecture and the authorization model of the environment. In environments where reverse proxies or load balancers cache content, attackers can exploit request splitting to inject arbitrary cached responses. This cache poisoning vector can result in the distribution of malicious content to other, unrelated users of the application.

In microservice architectures, this flaw facilitates lateral movement and security bypasses. Because the smuggled request originates from the internal IP address of the Elixir gateway application, the target service processes the request under the assumption that it comes from a trusted internal source. This trust allows the attacker to execute privileged actions or access sensitive endpoints without authentication.

The vulnerability is assigned a CVSS v4.0 base score of 2.1, reflecting a low severity under isolated circumstances. This low score is due to the prerequisite that application developers must actively design a proxy pattern that accepts dynamic, user-controlled HTTP methods. However, in deployments that implement such patterns, the vulnerability presents a significant security risk.

At present, the vulnerability has an EPSS score of 0.00166, indicating a low probability of active exploitation in the wild. It is not currently included in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, organizations running vulnerable configurations should remediate the issue to prevent potential exploitation.

Remediation & Detection Guidance

The primary and recommended mitigation for this vulnerability is upgrading the mint package to version 1.9.0 or higher. This update introduces the necessary HTTP method token validation checks inside the request compilation process, neutralizing the CRLF injection vector at the library boundary.

If upgrading the dependency is not immediately possible, developers must implement application-level input validation. Any user-supplied parameter destined for the HTTP method field must be validated against a strict whitelist of standard HTTP methods. This validation can be performed in the application controller layer:

defp validate_http_method(method) when method in ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"] do
  {:ok, method}
end
defp validate_http_method(_invalid_method), do: {:error, :invalid_method}

Security teams can detect vulnerable instances of Mint by performing dependency scans on their Elixir codebases. Tools such as mix hex.audit or static application security testing (SAST) utilities like Sobelow can flag outdated package dependencies.

Additionally, network-level detection can be implemented via Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS). Rules should be configured to detect and drop inbound requests containing carriage returns or line feeds within application parameter values designed for downstream proxy routing.

Official Patches

elixir-mintFix commit introducing token validation for the HTTP method parameter

Fix Analysis (1)

Technical Appendix

CVSS Score
2.1/ 10
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
EPSS Probability
0.17%
Top 94% most exploited

Affected Systems

Elixir Mint library versions 0.1.0 through 1.8.1Elixir applications utilizing dynamic, user-controlled HTTP methods with Mint

Affected Versions Detail

Product
Affected Versions
Fixed Version
mint
elixir-mint
>= 0.1.0, < 1.9.01.9.0
AttributeDetail
CWE IDCWE-93 (Improper Neutralization of CRLF Sequences)
Attack VectorNetwork / Client-Side forwarding
CVSS Score2.1 (Low Severity)
EPSS Score0.00166 (0.17% probability)
ImpactHTTP Request Splitting / HTTP Request Smuggling
Exploit StatusProof-of-Concept (PoC)
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')

The software receives input from an upstream source but fails to neutralize or incorrectly neutralizes carriage return (CR) and line feed (LF) characters before utilizing them in an output stream.

Known Exploits & Detection

GitHub Security AdvisoryAdvisory containing details and verification cases for the CRLF injection vulnerability

Vulnerability Timeline

Vulnerability Patched in Mint 1.9.0
2026-06-02
CVE-2026-48861 Published to NVD
2026-06-02

References & Sources

  • [1]CVE-2026-48861 National Vulnerability Database
  • [2]GitHub Security Advisory GHSA-2pg6-44cx-c49v
  • [3]Official Fix Commit
  • [4]Erlang Ecosystem Foundation Advisory
  • [5]OSV Database Entry

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 2 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 2 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 3 hours ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
4 views•6 min read
•about 3 hours ago•CVE-2026-48594
8.2

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 4 hours ago•CVE-2026-48595
8.2

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

Alon Barad
Alon Barad
5 views•5 min read
•about 4 hours ago•CVE-2026-48597
8.2

CVE-2026-48597: Denial of Service via Atom Table Exhaustion in Elixir Tesla Client (Mint Adapter)

CVE-2026-48597 is a high-severity Denial of Service (DoS) vulnerability in the Elixir HTTP client library Tesla (specifically involving the Mint adapter) that allows an unauthenticated remote attacker to cause an unrecoverable crash of the Erlang Virtual Machine (BEAM). The flaw arises from the dynamic conversion of untrusted URL schemes into Erlang atoms without validation, leading to global atom table exhaustion.

Alon Barad
Alon Barad
4 views•8 min read