{"id":"CVE-2026-49756","summary":"Multipart form-data header injection in Req via unescaped name/filename/content_type","details":"Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.\n\nReq.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing \", \\r, or \\n closes the surrounding quoted value and starts a new header line; an additional \\r\\n--\u003cboundary\u003e terminates the current part and prepends a smuggled part of the attacker's choosing.\n\nThis is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \\r and \\n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.\n\nThis issue affects req: from 0.5.3 before 0.6.0.","aliases":["EEF-CVE-2026-49756","GHSA-px9f-whj3-246m"],"modified":"2026-06-18T03:55:40.156676595Z","published":"2026-06-08T15:20:24.035Z","database_specific":{"cwe_ids":["CWE-93"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"60253dbe9436cb8e9c738f895032f2e87939b597"},{"fixed":"74506ff2c5addf74df85d79dc726e9b2e264a8ba"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49756.json","cna_assigner":"EEF"},"references":[{"type":"WEB","url":"https://cna.erlef.org/cves/CVE-2026-49756.html"},{"type":"WEB","url":"https://github.com"},{"type":"WEB","url":"https://osv.dev/vulnerability/EEF-CVE-2026-49756"},{"type":"WEB","url":"https://repo.hex.pm"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49756.json"},{"type":"ADVISORY","url":"https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49756"},{"type":"FIX","url":"https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba"},{"type":"PACKAGE","url":"https://github.com/wojtekmach/req"},{"type":"PACKAGE","url":"https://github.com/wojtekmach/req.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wojtekmach/req","events":[{"introduced":"8431d07b0ac058ea2050f40d622d8e89cb07f33c"},{"fixed":"8e7425f790d669d6996347ad0a72ba57f51138a8"},{"fixed":"74506ff2c5addf74df85d79dc726e9b2e264a8ba"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0.5.3"},{"fixed":"0.6.0"}]}}],"versions":["v0.5.18","v0.5.17","v0.5.16","v0.5.14","v0.5.13","v0.5.12","v0.5.11","v0.5.10","v0.5.9","v0.5.8","v0.5.7","v0.5.6","v0.5.5","v0.5.4","v0.5.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49756.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"}]}