Interpretation Conflict Vulnerability in Hackney by Benoit C
CVE-2026-47076

6.9MEDIUM

Key Information:

Vendor: Benoitc
Status: Hackney
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-47076?

An interpretation conflict vulnerability in Hackney allows for server-side request forgery (SSRF). The issue arises due to the normalization process of URLs, where the host component is decoded improperly after the URL is parsed. This flaw enables an attacker to bypass whitelisting checks, exposing server resources to potential unauthorized access. Specifically, certain URLs containing percent-encoded addresses are parsed inaccurately, facilitating access to sensitive services, including cloud instance metadata and localhost interfaces. This vulnerability affects all requests using Hackney from versions 0.13.0 to just before 4.0.1.

Affected Version(s)

hackney 0.13.0 < 4.0.1

hackney 4d725507588942fd00efca15b86da3273656510a < 452620a92ec1da2e6b4862a049a2a4f04b42068f

References

https://github.com/benoitc/hackney/security/advisories/GH...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-47076.html

https://osv.dev/vulnerability/EEF-CVE-2026-47076

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 18, 2026

Credit

Ganbagana

Benoit Chesneau

Jonatan Männchen

CVE-2026-47076 Data

JSON

Benoitc

What is CVE-2026-47076?

Affected Version(s)

References

CVSS V4

Timeline

Credit