FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Erlang/OTP -- httpc leaks authentication headers on cross-host redirect

Affected packages
erlang-runtime27 < 27.3.4.13
erlang-runtime28 < 28.5.0.2
erlang-runtime29 < 29.0.2

Details

VuXML ID d87e2466-64d4-11f1-ab11-4c526214c986
Discovery 2026-06-10
Entry 2026-06-10

https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh reports:

The HTTP client (httpc) in inets now removes Authorization, Proxy-Authorization, Cookie, Referer, and Origin headers when following a redirect to a different host or port, following the requirements of RFC 9110 section 15.4. Previously these headers were forwarded verbatim, potentially leaking credentials to unintended targets.

[source]

References

CVE Name CVE-2026-48856
URL https://github.com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.