Improper Parameter Handling in Elixir Plug Affects Cookie Management
CVE-2026-56813
2.1LOW
What is CVE-2026-56813?
The vulnerability in Elixir Plug allows attackers to manipulate HTTP cookie attributes by injecting ';' delimiters into cookie values. This occurs in the Plug.Conn.Cookies.encode/2 function, which fails to neutralize these delimiters when constructing the Set-Cookie header. If an application does not validate cookie inputs properly, attackers can exploit this weakness to override crucial cookie attributes like domain and path, and disable Secure and HttpOnly flags, leading to cookie tossing and session fixation issues.
Affected Version(s)
plug 0.1.0 < 1.16.6
plug 1.17.0 < 1.17.4
plug 1.18.0 < 1.18.5
