CVE-2026-47069 (GCVE-0-2026-47069)
Vulnerability from cvelistv5
Published
2026-05-25 14:00
Modified
2026-05-27 15:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Summary
Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option — for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path — can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response.
This issue affects hackney: from 0.9.0 before 4.0.1.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47069",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:57:10.763778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:57:18.662Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.hex.pm",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_cookie"
],
"packageName": "hackney",
"packageURL": "pkg:hex/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_cookie.erl"
],
"programRoutines": [
{
"name": "hackney_cookie:setcookie/3"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "4.0.1",
"status": "affected",
"version": "0.9.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"hackney_cookie"
],
"packageName": "benoitc/hackney",
"packageURL": "pkg:github/benoitc/hackney",
"product": "hackney",
"programFiles": [
"src/hackney_cookie.erl"
],
"programRoutines": [
{
"name": "hackney_cookie:setcookie/3"
}
],
"repo": "https://github.com/benoitc/hackney",
"vendor": "benoitc",
"versions": [
{
"lessThan": "8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540",
"status": "affected",
"version": "602d5c7f2ea4acbc83ed75230655d935a0750ebc",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.0.1",
"versionStartIncluding": "0.9.0",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Ullrich"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Benoit Chesneau"
},
{
"lang": "en",
"type": "analyst",
"value": "Jonatan M\u00e4nnchen / EEF"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Response Splitting.\u003cp\u003eThe \u003ctt\u003ehackney_cookie:setcookie/3\u003c/tt\u003e function in \u003ctt\u003esrc/hackney_cookie.erl\u003c/tt\u003e validates the \u003ctt\u003eName\u003c/tt\u003e and \u003ctt\u003eValue\u003c/tt\u003e arguments against CRLF and control characters, but concatenates the \u003ctt\u003edomain\u003c/tt\u003e and \u003ctt\u003epath\u003c/tt\u003e options verbatim into the output iolist with no equivalent check. An attacker who controls either option \u2014 for example by supplying a \u003ctt\u003eHost\u003c/tt\u003e header value forwarded as the cookie domain, or a request path forwarded as the cookie path \u2014 can inject a literal CRLF sequence and arbitrary additional \u003ctt\u003eSet-Cookie\u003c/tt\u003e headers into the HTTP response.\u003c/p\u003e\u003cp\u003eThis issue affects hackney: from 0.9.0 before 4.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option \u2014 for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path \u2014 can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response.\n\nThis issue affects hackney: from 0.9.0 before 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-34",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-34 HTTP Response Splitting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T15:40:38.975Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-47069.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47069"
},
{
"tags": [
"patch"
],
"url": "https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "CRLF injection in cookie domain/path options in hackney",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-47069",
"datePublished": "2026-05-25T14:00:39.394Z",
"dateReserved": "2026-05-18T17:28:08.322Z",
"dateUpdated": "2026-05-27T15:40:38.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…