CVE-2026-49756
Severity CVSS v4.0:
LOW
Type:
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Publication date:
08/06/2026
Last modified:
08/06/2026
Description
Improper Neutralization of CRLF Sequences (&#39;CRLF Injection&#39;) vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.<br />
<br />
Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n-- terminates the current part and prepends a smuggled part of the attacker&#39;s choosing.<br />
<br />
This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.<br />
<br />
This issue affects req: from 0.5.3 before 0.6.0.
Impact
Base Score 4.0
2.10
Severity 4.0
LOW
References to Advisories, Solutions, and Tools
- https://cna.erlef.org/cves/CVE-2026-49756.html
- https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba
- https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m
- https://osv.dev/vulnerability/EEF-CVE-2026-49756
- https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m