Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-49756

Summary
Assigner-EEF
Assigner Org ID-6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At-08 Jun, 2026 | 15:20
Updated At-08 Jun, 2026 | 16:34
Rejected At-
Credits

Multipart form-data header injection in Req via unescaped name/filename/content_type

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing. This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream. This issue affects req: from 0.5.3 before 0.6.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:EEF
Assigner Org ID:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:08 Jun, 2026 | 15:20
Updated At:08 Jun, 2026 | 16:34
Rejected At:
▼CVE Numbering Authority (CNA)
Multipart form-data header injection in Req via unescaped name/filename/content_type

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing. This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream. This issue affects req: from 0.5.3 before 0.6.0.

Affected Products
Vendor
wojtekmach
Product
req
Collection URL
https://repo.hex.pm
Package Name
req
Repo
https://github.com/wojtekmach/req
CPEs
  • cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Req.Utils'
Program Files
  • lib/req/utils.ex
Program Routines
  • 'Elixir.Req.Utils':encode_form_part/2
Default Status
unaffected
Versions
Affected
  • From 0.5.3 before 0.6.0 (semver)
Vendor
wojtekmach
Product
req
Collection URL
https://github.com
Package Name
wojtekmach/req
Repo
https://github.com/wojtekmach/req.git
CPEs
  • cpe:2.3:a:wojtekmach:req:*:*:*:*:*:*:*:*
Modules
  • 'Elixir.Req.Utils'
Program Files
  • lib/req/utils.ex
Program Routines
  • 'Elixir.Req.Utils':encode_form_part/2
Default Status
unaffected
Versions
Affected
  • From 60253dbe9436cb8e9c738f895032f2e87939b597 before 74506ff2c5addf74df85d79dc726e9b2e264a8ba (git)
Problem Types
TypeCWE IDDescription
CWECWE-93CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Type: CWE
CWE ID: CWE-93
Description: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
Metrics
VersionBase scoreBase severityVector
4.02.1LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-33CAPEC-33 HTTP Request Smuggling
CAPEC-105CAPEC-105 HTTP Request Splitting
CAPEC ID: CAPEC-33
Description: CAPEC-33 HTTP Request Smuggling
CAPEC ID: CAPEC-105
Description: CAPEC-105 HTTP Request Splitting
Solutions

Configurations

Workarounds

Sanitize attacker-influenced name, filename, and content_type values before passing them to Req.post/2 with form_multipart:. At minimum, reject (or strip) any value containing \r, \n, or ". When forwarding uploads, derive filename from a normalised string rather than Path.basename/1 on a user-controlled path.

Exploits

Credits

finder
Peter Ullrich
remediation developer
Wojtek Mach
analyst
Jonatan Männchen / EEF
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m
vendor-advisory
related
https://cna.erlef.org/cves/CVE-2026-49756.html
related
https://osv.dev/vulnerability/EEF-CVE-2026-49756
related
https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba
patch
Hyperlink: https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m
Resource:
vendor-advisory
related
Hyperlink: https://cna.erlef.org/cves/CVE-2026-49756.html
Resource:
related
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-49756
Resource:
related
Hyperlink: https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m
exploit
Hyperlink: https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Published At:08 Jun, 2026 | 16:16
Updated At:09 Jun, 2026 | 15:20

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing. This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream. This issue affects req: from 0.5.3 before 0.6.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.1LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 2.1
Base severity: LOW
Vector:
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-93Secondary6b3ad84c-e1a6-4bf7-a703-f496b71e49db
CWE ID: CWE-93
Type: Secondary
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://cna.erlef.org/cves/CVE-2026-49756.html6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m6b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://osv.dev/vulnerability/EEF-CVE-2026-497566b3ad84c-e1a6-4bf7-a703-f496b71e49db
N/A
https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://cna.erlef.org/cves/CVE-2026-49756.html
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://osv.dev/vulnerability/EEF-CVE-2026-49756
Source: 6b3ad84c-e1a6-4bf7-a703-f496b71e49db
Resource: N/A
Hyperlink: https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found

Details not found