CRLF Injection Vulnerability in Hackney WebSocket Upgrade
CVE-2026-47072

6.9MEDIUM

Key Information:

Vendor: Benoitc
Status: Hackney
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-47072?

The vulnerability in Hackney arises from inadequate handling of CRLF sequences, allowing attackers to perform HTTP Request/Response Splitting. By exploiting this flaw, an unauthorized entity can inject arbitrary HTTP headers during the WebSocket upgrade process. Since the upgrade request constructs are formed without sufficient checks on user-supplied input, an attacker can leverage this to manipulate header values, cause log and cache poisoning, and potentially execute request smuggling. This vulnerability emphasizes the importance of adequate input validation and safe handling of request parameters to safeguard applications using Hackney.

Affected Version(s)

hackney 2.0.0 < 4.0.1

hackney 690cecaf236fba49526da404a5bc889a24367a3e < 52310ca807e7b48441ba0e9129171f535313fdd1

References

https://github.com/benoitc/hackney/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-47072.html

https://osv.dev/vulnerability/EEF-CVE-2026-47072

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 18, 2026

Credit

Peter Ullrich

Benoit Chesneau

Jonatan Männchen

CVE-2026-47072 Data

JSON

Benoitc

What is CVE-2026-47072?

Affected Version(s)

References

CVSS V4

Timeline

Credit