CVE-2026-49756

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-49756

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49756.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-49756

Aliases

EEF-CVE-2026-49756
GHSA-px9f-whj3-246m

Published

2026-06-08T15:20:24.035Z

Modified

2026-06-18T03:55:40.156676595Z

Severity

2.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Multipart form-data header injection in Req via unescaped name/filename/content_type

Details

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.

Req.Utils.encodeformpart/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing.

This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.

This issue affects req: from 0.5.3 before 0.6.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49756.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "60253dbe9436cb8e9c738f895032f2e87939b597"
                },
                {
                    "fixed": "74506ff2c5addf74df85d79dc726e9b2e264a8ba"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-93"
    ],
    "cna_assigner": "EEF"
}

References

Affected packages

Git / github.com/wojtekmach/req

Affected ranges

Type

GIT

Repo

https://github.com/wojtekmach/req

Events

Introduced

8431d07b0ac058ea2050f40d622d8e89cb07f33c

Fixed

8e7425f790d669d6996347ad0a72ba57f51138a8

Fixed

74506ff2c5addf74df85d79dc726e9b2e264a8ba

Database specific

{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.5.3"
        },
        {
            "fixed": "0.6.0"
        }
    ]
}

Affected versions

v0.*

v0.5.10

v0.5.11

v0.5.12

v0.5.13

v0.5.14

v0.5.16

v0.5.17

v0.5.18

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.5.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49756.json"