Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
Summary
| CVE | CVE-2026-48595 |
|---|---|
| State | PUBLISHED |
| Assigner | EEF |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-02 20:16:38 UTC |
| Updated | 2026-06-02 20:16:38 UTC |
| Description | Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request. This issue affects tesla: from 1.4.0 before 1.18.3. |
Risk And Classification
Primary CVSS: v4.0 8.2 HIGH from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-178 | CWE-178 CWE-178 Improper Handling of Case Sensitivity
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | Secondary | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.2 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Elixir-tesla | Tesla | affected 1.4.0 1.18.3 semver | Not specified |
| CNA | Elixir-tesla | Tesla | affected 2d937d5813d7cda5cd726f41824985fb655c920f db963dba67651b9abd1fc420a1d9679cf6efe182 git | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cna.erlef.org/cves/CVE-2026-48595.html | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | cna.erlef.org | |
| github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| osv.dev/vulnerability/EEF-CVE-2026-48595 | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | osv.dev | |
| github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6e... | 6b3ad84c-e1a6-4bf7-a703-f496b71e49db | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Peter Ullrich (en)
CNA: Yordis Prieto (en)
CNA: Jonatan Männchen (en)
Additional Advisory Data
Workarounds
CNA: Normalize all header keys to lowercase before passing them to Tesla. Use "authorization" instead of "Authorization" when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers.