CVE-2026-48595
Summary
Tesla.Middleware.FollowRedirects is meant to strip the Authorization header when following a cross-origin redirect, but performs the check with a case-sensitive comparison against the lowercase string "authorization". Because Tesla preserves header keys exactly as supplied by the caller, any application that sets the header with its RFC 7235 canonical casing ("Authorization") bypasses the filter entirely, leaking bearer tokens or other credentials to whatever origin the redirect points at.
Details
The filter list in lib/tesla/middleware/follow_redirects.ex is defined as @filter_headers ["authorization", "host"] and the membership check k not in @filter_headers compares the raw key string without case normalization. HTTP header names are case-insensitive per RFC 7230, but Tesla stores them verbatim. A header tuple {"Authorization", "Bearer …"} does not match "authorization", so it passes through the filter and is forwarded to the redirect destination unchecked. The same defect applies to the "Host" entry.
An attacker who can control a Location: response seen by the victim client (their own endpoint, a redirect-open service, or a compromised upstream) receives the credential on the cross-origin follow. No special configuration is required beyond the victim using the standard header casing.
PoC
1. Configure a Tesla client with Tesla.Middleware.FollowRedirects and set the Authorization header using canonical casing ({"Authorization", "Bearer <token>"}).
2. Make a request to an endpoint that returns a 302 redirect to a different origin.
3. Observe that the Authorization header with its value is present in the request delivered to the redirect destination.
Impact
High severity (CVSS v4.0: 8.2). Any application using tesla 1.4.0 through 1.18.2 with Tesla.Middleware.FollowRedirects and a non-lowercase Authorization header is affected. The workaround is to use all-lowercase "authorization" as the header key until upgrading to 1.18.3.
Workarounds
Normalize a
⚡ Watch CVE-2026-48595
Get an email if CVE-2026-48595 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.40% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 32% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-48595)