CRLF Injection Vulnerability in Elixir Mint by Elixir
CVE-2026-48861

2.1LOW

Key Information:

Vendor: Elixir-mint
Status: Mint
Vendor: CVE Published:; 2 June 2026

🔔 Create Elixir-mint Vulnerability Alert

What is CVE-2026-48861?

The Mint library in Elixir has a vulnerability where improper handling of CRLF sequences can lead to HTTP Request Splitting and Smuggling. The encode_request_line method directly integrates user-supplied HTTP method and target without sufficient validation, enabling attackers to inject arbitrary headers and create separate pipelined HTTP requests over the same TCP connection. While version 1.7.0 aimed to enhance validation, the method field remains unverified, exposing all versions to potential exploitation when attacker-controlled input is used.

Affected Version(s)

mint 0.1.0 < 1.9.0

mint 8db1acff30b6a9433762c18b1e1f891b8c1f74f7

References

https://github.com/elixir-mint/mint/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-48861.html

https://osv.dev/vulnerability/EEF-CVE-2026-48861

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
May 25, 2026

Credit

Peter Ullrich

Eric Meadows-Jönsson

Jonatan Männchen / EEF

CVE-2026-48861 Data

JSON