CVE-2026-47076

MEDIUM EPSS 10.1%
Published May 25, 20261mo ago · Modified Jun 17, 20262w ago
6.9 CVSS 4.0
Medium
Find Similar
Published May 25, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost. This issue affects hackney: from 0.13.0 before 4.0.1.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
10.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-436
CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 1

VendorProductVersionRange
benoitchackney*≥0.13.0  –  <4.0.1

References 4

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-47076.html
    PatchThird Party Advisory
  • github.com https://github.com/benoitc/hackney/commit/452620a92ec1da2e6b4862a049a2a4f04b42068f
    Patch
  • github.com https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq
    ExploitPatchVendor Advisory
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-47076
    PatchThird Party Advisory

Remediation

  • cna.erlef.org https://cna.erlef.org/cves/CVE-2026-47076.html
    PatchThird Party Advisory
  • github.com https://github.com/benoitc/hackney/commit/452620a92ec1da2e6b4862a049a2a4f04b42068f
    Patch
  • github.com https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq
    ExploitPatchVendor Advisory
  • osv.dev https://osv.dev/vulnerability/EEF-CVE-2026-47076
    PatchThird Party Advisory