Credential Leakage Vulnerability in Tesla by Elixir
CVE-2026-48595

8.2HIGH

Key Information:

Vendor: Elixir-tesla
Status: Tesla
Vendor: CVE Published:; 2 June 2026

🔔 Create Elixir-tesla Vulnerability Alert

What is CVE-2026-48595?

The Elixir Tesla library exhibits a vulnerability due to improper handling of case sensitivity in HTTP headers during cross-origin redirects. The middleware responsible for handling redirects strips security-sensitive headers, like 'Authorization', based on a case-sensitive comparison against a list of lowercase filter entries. This design flaw results in the potential leakage of sensitive information, such as bearer tokens, when headers are not normalized to the correct case as per HTTP specifications. An attacker capable of influencing a redirect may exploit this flaw to gain unauthorized access to sensitive credentials.

Affected Version(s)

tesla 1.4.0 < 1.18.3

tesla 2d937d5813d7cda5cd726f41824985fb655c920f

References

https://github.com/elixir-tesla/tesla/security/advisories...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-48595.html

https://osv.dev/vulnerability/EEF-CVE-2026-48595

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 22, 2026

Credit

Peter Ullrich

Yordis Prieto

Jonatan Männchen

CVE-2026-48595 Data

JSON