HTTP Header Injection Vulnerability in Tesla by Elixir
CVE-2026-48596

2.1LOW

Key Information:

Vendor: Elixir-tesla
Status: Tesla
Vendor: CVE Published:; 2 June 2026

🔔 Create Elixir-tesla Vulnerability Alert

What is CVE-2026-48596?

The vulnerability allows HTTP header injection through improper handling of CRLF sequences in HTTP headers when using the Tesla library in Elixir. The method Tesla.Multipart.add_content_type_param/2 appends unsanitized input directly into the HTTP header, enabling attackers to exploit untrusted user inputs by injecting arbitrary headers into outbound requests. Affected applications include those that route these inputs without proper validation, risking data exposure or further attacks.

Affected Version(s)

tesla 0.8.0 < 1.18.3

tesla 6ebfdb9abe9c6f119408045b933d82462decd351 < 23601edac5d22ba9407b427967b5bdbda201aec2

References

https://github.com/elixir-tesla/tesla/security/advisories...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-48596.html

https://osv.dev/vulnerability/EEF-CVE-2026-48596

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 22, 2026

Credit

Peter Ullrich

Yordis Prieto

Jonatan Männchen

CVE-2026-48596 Data

JSON