Two critical web security vulnerabilities have been disclosed in elixir-mint, the HTTP client library for the Elixir programming language, tracked as CVE-2026-48861 (CVSS 9.1 Critical) and CVE-2026-49753 (CVSS 7.5 High). Together they enable HTTP request smuggling and desynchronisation attacks.
What Are the Vulnerabilities?
CVE-2026-48861 — CRLF Injection / HTTP Request Splitting (CVSS 9.1 Critical): The HTTP/1 implementation in lib/mint/http1 does not properly neutralise CRLF sequences, allowing HTTP request splitting and request smuggling. An attacker-controlled HTTP/1 server or a MITM attacker can inject CRLF sequences that split the HTTP response, potentially poisoning intermediate caches or proxies.
CVE-2026-49753 — HTTP Request Smuggling (CVSS 7.5 High): Inconsistent interpretation of HTTP requests allows attacker-controlled HTTP/1 servers to desynchronise the connection state, enabling request smuggling attacks where requests from one client are mistakenly attributed to another.
Which Versions Are Affected?
- elixir-mint: all versions prior to the patched releases
What Is the Fix?
Update elixir-mint via Hex: mix deps.update mint. Verify the updated version in mix.lock.
Recommendations
Update mint in all Elixir applications. HTTP request smuggling is a well-understood attack class that can lead to cache poisoning, credential theft, and request hijacking. Check transitive dependencies — mint may be pulled in by other HTTP libraries.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.
