CRLF injection in WebSocket upgrade request in hackney

Summary

CVE	CVE-2026-47072
State	PUBLISHED
Assigner	EEF
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-25 15:16:22 UTC
Updated	2026-05-26 19:58:36 UTC
Description	Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1.

Risk And Classification

Primary CVSS: v4.0 6.9 MEDIUM from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.000470000 probability, percentile 0.148710000 (date 2026-05-27)

Problem Types: CWE-93 | CWE-93 CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

Version	Source	Type	Score	Severity	Vector
4.0	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	Secondary	6.9	MEDIUM	`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/C...`
4.0	CNA	CVSS	6.9	MEDIUM	`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N`

CVSS v4.0 Breakdown

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

None

User Interaction

None

Confidentiality

None

Integrity

Low

Availability

None

Sub Conf.

None

Sub Integrity

High

Sub Availability

None

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Benoitc	Hackney	affected 2.0.0 4.0.1 semver	Not specified
CNA	Benoitc	Hackney	affected 690cecaf236fba49526da404a5bc889a24367a3e 52310ca807e7b48441ba0e9129171f535313fdd1 git	Not specified

References

Reference	Source	Link	Tags
github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg	134c704f-9b21-4f2e-91b3-4a467353bcc0	github.com
cna.erlef.org/cves/CVE-2026-47072.html	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	cna.erlef.org
osv.dev/vulnerability/EEF-CVE-2026-47072	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	osv.dev
github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1	6b3ad84c-e1a6-4bf7-a703-f496b71e49db	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Peter Ullrich (en)

CNA: Benoit Chesneau (en)

CNA: Jonatan Männchen (en)

There are currently no legacy QID mappings associated with this CVE.