CVE-2026-47072

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-47072
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-47072.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-47072
Aliases
Published
2026-05-25T14:00:47.852Z
Modified
2026-06-18T03:54:44.970076261Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N CVSS Calculator
Summary
CRLF injection in WebSocket upgrade request in hackney
Details

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackneyws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #wsdata{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in dohandshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options — for example by forwarding URL components or header values from untrusted input into hackneyws:start_link/1 — can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies.

This issue affects hackney: from 2.0.0 before 4.0.1.

Database specific 
{
    "cwe_ids": [
        "CWE-93"
    ],
    "cna_assigner": "EEF",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47072.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "690cecaf236fba49526da404a5bc889a24367a3e"
                },
                {
                    "fixed": "52310ca807e7b48441ba0e9129171f535313fdd1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/benoitc/hackney

Affected ranges

Type
GIT
Repo
https://github.com/benoitc/hackney
Events
Introduced
a7ce34b42892ab305b2ef7dbe873bcabf4ef93ca
Fixed
c41c8d48ace8141b003f6f1de3ca6734a0c53056
Fixed
52310ca807e7b48441ba0e9129171f535313fdd1
Database specific 
{
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "4.0.1"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:benoitc:hackney:*:*:*:*:*:*:*:*"
}

Affected versions

2.*
2.0.0
2.0.1
3.*
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
4.*
4.0.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-47072.json"