VYPR
Medium severity6.5NVD Advisory· Published May 25, 2026· Updated May 27, 2026

CVE-2026-47076

CVE-2026-47076

Description

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost.

This issue affects hackney: from 0.13.0 before 4.0.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Benoitc/Hackneyinferred2 versions
    >=0.13.0,<4.0.1+ 1 more
    • (no CPE)range: >=0.13.0,<4.0.1
    • (no CPE)range: >=0.13.0, <4.0.1

Patches

Vulnerability mechanics

References

4

News mentions

1