CVE-2026-47076

Exploit

EPSS 0.2%
Veröffentlicht 25.05.2026 14:00:46
Zuletzt bearbeitet 27.05.2026 13:51:53
Quelle 6b3ad84c-e1a6-4bf7-a703-f496b7
CVE-Watchlists
Login
Unerledigt
Login

SSRF allowlist bypass via percent-encoded host in hackney

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost.

This issue affects hackney: from 0.13.0 before 4.0.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Benoitc ≫ Hackney Version >= 0.13.0 < 4.0.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2	4	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
6b3ad84c-e1a6-4bf7-a703-f496b71e49db	6.9	0	0	CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-436 Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq

Patch

Vendor Advisory

Exploit

https://cna.erlef.org/cves/CVE-2026-47076.html

Patch

Third Party Advisory

https://osv.dev/vulnerability/EEF-CVE-2026-47076

Patch

Third Party Advisory

https://github.com/benoitc/hackney/commit/452620a92ec1da2e6b4862a049a2a4f04b42068f

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-47076

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-47076

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-47076

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-47076