AIKIDO-2026-10122
hackney is vulnerable to Insufficiently Protected Credentials
88
High Risk
This Affects:
hackneyTL;DR
Affected versions of this package forward authorization headers and credentials when following redirects to a different host, which could lead to credential leakage if a server redirects requests to an untrusted destination. The patched version stops forwarding sensitive headers on cross-host redirects, preventing unintended exposure of credentials.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
hackney is vulnerable to Insufficiently Protected Credentials in versions 0.0.1 - 2.0.1.
How to fix this
Upgrade the hackney library to the patch version.
Links
github.com/benoitc/hackney/blob/master/NEWS.md#300---2026-01-27
openwall.com/lists/oss-security/2022/04/27/4securitytracker.com/id/1040274access.redhat.com/errata/RHBA-2019:0327access.redhat.com/errata/RHSA-2018:3157access.redhat.com/errata/RHSA-2018:3558access.redhat.com/errata/RHSA-2019:1543access.redhat.com/errata/RHSA-2020:0544access.redhat.com/errata/RHSA-2020:0594curl.haxx.se/docs/adv_2018-b3bf.htmllists.debian.org/debian-lts-announce/2018/01/msg00038.htmlusn.ubuntu.com/3554-1/usn.ubuntu.com/3554-2/debian.org/security/2018/dsa-4098oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant