{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/http-client/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-48595"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["tesla (\u003e= 0.6.0, \u003c 1.18.3)"],"_cs_severities":["high"],"_cs_tags":["credential-access","exfiltration","vulnerability","elixir","http-client"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity vulnerability, CVE-2026-48595, has been identified in the \u003ccode\u003etesla\u003c/code\u003e Elixir HTTP client library, specifically within its \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e component. This flaw impacts versions 0.6.0 up to, but not including, 1.18.3. The middleware is designed to strip sensitive \u003ccode\u003eAuthorization\u003c/code\u003e headers when following cross-origin redirects to prevent credential leakage. However, its internal filter performs a case-sensitive comparison against a lowercase string \u003ccode\u003e\u0026quot;authorization\u0026quot;\u003c/code\u003e. Because \u003ccode\u003etesla\u003c/code\u003e preserves header keys exactly as supplied, applications using the RFC 7235 canonical casing (\u003ccode\u003e\u0026quot;Authorization\u0026quot;\u003c/code\u003e) bypass this filter entirely. Consequently, if an application sends a request with an \u003ccode\u003eAuthorization\u003c/code\u003e header using canonical casing and is redirected to an attacker-controlled origin, sensitive credentials like bearer tokens can be inadvertently leaked to the attacker. This poses a significant risk to applications relying on \u003ccode\u003etesla\u003c/code\u003e for secure HTTP communications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes control over a web server or service capable of issuing HTTP \u003ccode\u003e302\u003c/code\u003e redirects to an arbitrary, attacker-controlled domain (e.g., a malicious server, a redirect-open service, or a compromised upstream server).\u003c/li\u003e\n\u003cli\u003eA victim application, using the \u003ccode\u003etesla\u003c/code\u003e Elixir HTTP client library (version 0.6.0 through 1.18.2) with \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e enabled, constructs an outbound HTTP request.\u003c/li\u003e\n\u003cli\u003eThe victim application includes an \u003ccode\u003eAuthorization\u003c/code\u003e header with canonical casing (e.g., \u003ccode\u003e{\u0026quot;Authorization\u0026quot;, \u0026quot;Bearer \u0026lt;token\u0026gt;\u0026quot;}\u003c/code\u003e) for authentication in its request.\u003c/li\u003e\n\u003cli\u003eThe victim application sends its request to an endpoint, which the attacker can influence to issue an HTTP \u003ccode\u003e302\u003c/code\u003e (or similar redirect status code) pointing to the attacker-controlled domain.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e component within the victim application attempts to filter sensitive headers before automatically following the redirect.\u003c/li\u003e\n\u003cli\u003eDue to a case-sensitive comparison logic (\u003ccode\u003e\u0026quot;authorization\u0026quot;\u003c/code\u003e vs. \u003ccode\u003e\u0026quot;Authorization\u0026quot;\u003c/code\u003e), the middleware fails to identify and strip the canonical \u003ccode\u003eAuthorization\u003c/code\u003e header from the outgoing request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etesla\u003c/code\u003e client follows the redirect and inadvertently includes the sensitive \u003ccode\u003eAuthorization\u003c/code\u003e header, complete with its bearer token or other credentials, in the request to the attacker-controlled domain, leading to credential theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability carries a high severity (CVSS v4.0: 8.2). Any application utilizing \u003ccode\u003etesla\u003c/code\u003e versions 0.6.0 through 1.18.2 with \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e and supplying non-lowercase \u003ccode\u003eAuthorization\u003c/code\u003e headers is at risk. Successful exploitation results in the leakage of sensitive credentials, such as bearer tokens, to an attacker-controlled endpoint. This can lead to unauthorized access to systems or data, session hijacking, and further compromise of the victim's environment, directly impacting the confidentiality and integrity of affected applications and their users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize upgrading the \u003ccode\u003etesla\u003c/code\u003e Elixir HTTP client library to version 1.18.3 or later immediately to remediate CVE-2026-48595.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, implement the recommended workaround by normalizing all \u003ccode\u003eAuthorization\u003c/code\u003e header keys to lowercase (e.g., \u003ccode\u003e\u0026quot;authorization\u0026quot;\u003c/code\u003e) before passing them to \u003ccode\u003etesla\u003c/code\u003e via \u003ccode\u003eTesla.put_header/3\u003c/code\u003e or \u003ccode\u003eTesla.Middleware.Headers\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview application code for the usage of \u003ccode\u003eTesla.Middleware.FollowRedirects\u003c/code\u003e and how \u003ccode\u003eAuthorization\u003c/code\u003e headers are set to identify potentially vulnerable instances.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T00:07:45Z","date_published":"2026-07-10T00:07:45Z","id":"https://feed.craftedsignal.io/briefs/2026-07-tesla-header-leak/","summary":"A vulnerability in the `Tesla.Middleware.FollowRedirects` component of the `tesla` Elixir HTTP client library allows `Authorization` headers to be leaked during cross-origin redirects due to a case-sensitive comparison, enabling an attacker controlling a redirect destination to receive bearer tokens or other credentials from applications using `tesla` versions 0.6.0 through 1.18.2.","title":"Tesla Elixir HTTP Client Header Leak via Case-Sensitive Redirect Filtering (CVE-2026-48595)","url":"https://feed.craftedsignal.io/briefs/2026-07-tesla-header-leak/"}],"language":"en","title":"CraftedSignal Threat Feed - Http-Client","version":"https://jsonfeed.org/version/1.1"}