HTTP Request Splitting Vulnerability in Hackney by Benoit C.
CVE-2026-47075

6.8MEDIUM

Key Information:

Vendor: Benoitc
Status: Hackney
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-47075?

The Hackney HTTP client library has a vulnerability that allows an attacker to exploit improper handling of carriage return (CR) and line feed (LF) sequences within URLs. By not percent-encoding these characters in the URL query, Hackney permits the injection of CRLF sequences, potentially leading to HTTP request splitting. This can allow an attacker to manipulate HTTP headers or split requests, thereby posing significant security risks. Versions of Hackney prior to 4.0.1 are affected, making it essential for users to review and update their implementations.

Affected Version(s)

hackney 0 < 4.0.1

hackney 8bb1a359a81ae58567c84f8d24564e9742e6f2bd

References

https://github.com/benoitc/hackney/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-47075.html

https://osv.dev/vulnerability/EEF-CVE-2026-47075

CVSS V4

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 18, 2026

Credit

tepel-chen

Benoit Chesneau

Jonatan Männchen

CVE-2026-47075 Data

JSON