CVE-2026-47076
6.5 MEDIUMInterpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery
Published: 2026-05-25 · Last updated: 2026-05-27
Severity and scoring
- CVSS
- 6.5 MEDIUM
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
- CWE
- CWE-436, CWE-918
Affected products
| Vendor | Product |
|---|---|
| benoitc | hackney |
Description
Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost. This issue affects hackney: from 0.13.0 before 4.0.1.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-47076
- [Patch]https://cna.erlef.org/cves/CVE-2026-47076.html
- [Patch]https://github.com/benoitc/hackney/commit/452620a92ec1da2e6b4862a049a2a4f04b42068f
- [Patch]https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq
- [Patch]https://osv.dev/vulnerability/EEF-CVE-2026-47076
- [Patch]https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq
Related CVEs
Same vendor
- CVE-2026-47077 — Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding (7.5 HIGH)
- CVE-2026-47075 — Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting (7.5 HIGH)
- CVE-2026-47073 — Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding (7.5 HIGH)
- CVE-2026-47072 — Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting (7.5 HIGH)
- CVE-2026-47071 — Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding (7.5 HIGH)
Same CWE
- CVE-2026-53812 — OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypa... (7.7 HIGH)
- CVE-2026-53782 — Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to dire... (7.4 HIGH)
- CVE-2026-47170 — Garlic-Hub manages digital signage network — devices, content, and playlists — from a single self-hosted interface (7.7 HIGH)
- CVE-2026-47157 — aiograpi is an asynchronous Instagram API for Python (6.5 MEDIUM)
- CVE-2026-46698 — Fediverse Embeds embeds fediverse posts on WordPress sites (5.3 MEDIUM)