Improper Parameter Handling in Elixir Plug Affects Cookie Management
CVE-2026-56813

2.1LOW

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56813?

The vulnerability in Elixir Plug allows attackers to manipulate HTTP cookie attributes by injecting ';' delimiters into cookie values. This occurs in the Plug.Conn.Cookies.encode/2 function, which fails to neutralize these delimiters when constructing the Set-Cookie header. If an application does not validate cookie inputs properly, attackers can exploit this weakness to override crucial cookie attributes like domain and path, and disable Secure and HttpOnly flags, leading to cookie tossing and session fixation issues.

Affected Version(s)

plug 0.1.0 < 1.16.6

plug 1.17.0 < 1.17.4

plug 1.18.0 < 1.18.5

References

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Peter Ullrich
José Valim
Jonatan Männchen
.