HTTP Request/Response Smuggling Vulnerability in Mint by Elixir
CVE-2026-49753

6.3MEDIUM

Key Information:

Vendor: Elixir-mint
Status: Mint
Vendor: CVE Published:; 2 June 2026

🔔 Create Elixir-mint Vulnerability Alert

What is CVE-2026-49753?

An inconsistency in the interpretation of HTTP requests within the Mint HTTP client allows attacker-controlled servers to manipulate response framing on shared connections. Specifically, the issue lies with how Mint's Content-Length parser handles headers containing a '+' prefix, treating them as valid lengths, contrary to the standards set by RFC 7230. This misinterpretation can lead to response smuggling, where bytes from one response are erroneously merged into another, potentially compromising the integrity of communications when connections are reused across different trust boundaries. It is critical for developers and system administrators to be aware of this vulnerability and apply patches to secure their applications.

Affected Version(s)

mint 0.1.0 < 1.9.0

mint 65e0e86d799a6d3b08e4372fccdd9747535e0dd6 < 47e48027480228e4e32a0b4df39db497b4804921

References

https://github.com/elixir-mint/mint/security/advisories/G...

vendor-advisoryrelated

https://cna.erlef.org/cves/CVE-2026-49753.html

https://osv.dev/vulnerability/EEF-CVE-2026-49753

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Jun 1, 2026

Credit

Peter Ullrich

Eric Meadows-Jönsson

Jonatan Männchen / EEF

CVE-2026-49753 Data

JSON