CVE-2026-47069

UNKNOWN 0.0

CRLF injection in cookie domain/path options in hackney

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option — for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path — can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response. This issue affects hackney: from 0.9.0 before 4.0.1.

CWE	CWE-93
Vendor	benoitc
Product	hackney
Published	May 25, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for benoitc hackney

Be the first to know when new unknown vulnerabilities affecting benoitc hackney are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

benoitc / hackney

0.9.0 < 4.0.1

benoitc / hackney

602d5c7f2ea4acbc83ed75230655d935a0750ebc < 8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2 cna.erlef.org: https://cna.erlef.org/cves/CVE-2026-47069.html osv.dev: https://osv.dev/vulnerability/EEF-CVE-2026-47069 github.com: https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540

Credits

Peter Ullrich Benoit Chesneau Jonatan Männchen / EEF