{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0.5.3"
              },
              {
                "fixed": "0.6.0"
              }
            ],
            "source": [
              "DESCRIPTION",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "8431d07b0ac058ea2050f40d622d8e89cb07f33c"
            },
            {
              "fixed": "8e7425f790d669d6996347ad0a72ba57f51138a8"
            },
            {
              "fixed": "74506ff2c5addf74df85d79dc726e9b2e264a8ba"
            }
          ],
          "repo": "https://github.com/wojtekmach/req",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-px9f-whj3-246m"
  ],
  "database_specific": {
    "cna_assigner": "EEF",
    "cwe_ids": [
      "CWE-93"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49756.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "60253dbe9436cb8e9c738f895032f2e87939b597"
          },
          {
            "fixed": "74506ff2c5addf74df85d79dc726e9b2e264a8ba"
          }
        ],
        "source": "AFFECTED_FIELD"
      }
    ]
  },
  "details": "Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata.\n\nReq.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing \", \\r, or \\n closes the surrounding quoted value and starts a new header line; an additional \\r\\n--\u003cboundary\u003e terminates the current part and prepends a smuggled part of the attacker's choosing.\n\nThis is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \\r and \\n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream.\n\nThis issue affects req: from 0.5.3 before 0.6.0.",
  "id": "CVE-2026-49756",
  "modified": "2026-07-08T05:37:08.666075820Z",
  "published": "2026-06-08T15:20:24.035Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-49756.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-49756"
    },
    {
      "type": "WEB",
      "url": "https://repo.hex.pm"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49756.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/wojtekmach/req/security/advisories/GHSA-px9f-whj3-246m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49756"
    },
    {
      "type": "FIX",
      "url": "https://github.com/wojtekmach/req/commit/74506ff2c5addf74df85d79dc726e9b2e264a8ba"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wojtekmach/req"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wojtekmach/req.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Multipart form-data header injection in Req via unescaped name/filename/content_type"
}