CVE-2026-48595— Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| elixir-tesla | tesla | 1.4.0< 1.18.3 | affected |
2d937d5813d7cda5cd726f41824985fb655c920f< db963dba67651b9abd1fc420a1d9679cf6efe182 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48595
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authorization header leaks to third-party origin on cross-origin redirect in Tesla.Middleware.FollowRedirects
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request. This issue affects tesla: from 1.4.0 before 1.18.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
大小写敏感处理不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| elixir-tesla | tesla | 1.4.0 ~ 1.18.3 | cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* | |
| elixir-tesla | tesla | 2d937d5813d7cda5cd726f41824985fb655c920f ~ db963dba67651b9abd1fc420a1d9679cf6efe182 | cpe:2.3:a:elixir-tesla:tesla:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-48595
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48595
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-48595 (1)
Vendor Advisories for CVE-2026-48595 (3)
- 🔗 EEF-CVE-2026-48595 - OSVrelated
Same Patch Batch · elixir-tesla · 2026-06-02 · 5 CVEs total
| CVE-2026-48598 | CRLF injection in Tesla.Multipart disposition parameters allows multipart part header inje | |
| CVE-2026-48594 | Decompression bomb in Tesla.Middleware.DecompressResponse and Tesla.Middleware.Compression | |
| CVE-2026-48596 | CRLF injection in Tesla.Multipart.add_content_type_param/2 allows HTTP header injection | |
| CVE-2026-48597 | Atom table exhaustion via untrusted URL scheme in Tesla.Adapter.Mint |
IV. Related Vulnerabilities
Same product: tesla
Same vendor: elixir-tesla
Same weakness: CWE-178
- CVE-2026-44367
Klaw: user lockout due to case sensitivity inconsistency - CVE-2026-47323
Apache Camel: Camel-CXF Message Header Injection via Missing - CVE-2026-43513
Apache Tomcat: LockOutRealm treats user names as case-sensit - CVE-2026-3833
Gnutls: gnutls: policy bypass due to case-sensitive namecons - CVE-2026-40453
Apache Camel JMS, Apache Camel CoAP, Apache Camel Google Pub
V. Comments for CVE-2026-48595
No comments yet