Improper Encoding in Tesla Affects Elixir Applications
CVE-2026-48598

2.1LOW

Key Information:

Vendor

Elixir-tesla

Status
Tesla
Vendor
CVE Published:
2 June 2026

What is CVE-2026-48598?

An improper encoding vulnerability in Tesla allows for multipart part header injection due to the lack of validation on CR, LF, and double-quote characters in the Content-Disposition header values. When parameters are passed without proper validation, an attacker can manipulate header values, leading to potential injection attacks. This issue arises from the way the Tesla.Multipart.part_headers_for_disposition/1 function handles input from various methods that supply headers, including Tesla.Multipart.add_field/4 and Tesla.Multipart.add_file/3. Affected versions are from 0.8.0 up to 1.18.3, making it critical for developers using Teslar in Elixir applications to implement the patch provided to resolve this vulnerability.

Affected Version(s)

tesla 0.8.0 < 1.18.3

tesla 6ebfdb9abe9c6f119408045b933d82462decd351

References

https://github.com/elixir-tesla/tesla/security/advisories...
vendor-advisoryrelated
https://cna.erlef.org/cves/CVE-2026-48598.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-48598
related

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peter Ullrich
Yordis Prieto
Jonatan Männchen
.