CRLF Injection Vulnerability in Hackney HTTP Client by Benoit C
CVE-2026-47069

2.1LOW

Key Information:

Vendor: Benoitc
Status: Hackney
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-47069?

An improper neutralization of CRLF sequences vulnerability exists in the Hackney HTTP client, which may allow attackers to exploit this flaw by injecting malicious CRLF sequences. The issue arises due to a lack of validation on the concatenation of domain and path options in cookie settings. Specifically, the hackney_cookie:setcookie/3 function does not adequately validate Name and Value arguments against CRLF and control characters. Consequently, attackers can manipulate the Host header or request path, leading to potential HTTP response splitting, which may facilitate the injection of arbitrary Set-Cookie headers.

Affected Version(s)

hackney 0.9.0 < 4.0.1

hackney 602d5c7f2ea4acbc83ed75230655d935a0750ebc < 8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540

References

https://github.com/benoitc/hackney/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-47069.html

https://osv.dev/vulnerability/EEF-CVE-2026-47069

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 18, 2026

Credit

Peter Ullrich

Benoit Chesneau

Jonatan Männchen

CVE-2026-47069 Data

JSON

Benoitc

What is CVE-2026-47069?

Affected Version(s)

References

CVSS V4

Timeline

Credit