Intel

AIKIDO-2026-527558

plug is vulnerable to Cookie Attribute Injection

Cookie Attribute InjectionCVE-2026-56813 Published 3 days ago

21

Low Risk

This Affects:

ELIXIRplug
0.1.0 - 1.16.5
Fixed in 1.16.6
1.17.0 - 1.17.3
Fixed in 1.17.4
1.18.0 - 1.18.4
Fixed in 1.18.5
1.19.0 - 1.19.4
Fixed in 1.19.5
1.20.0 - 1.20.2
Fixed in 1.20.3
Are you affected? Scan for Free

TL;DR

Plug.Conn.Cookies.encode/2 in the Elixir plug library builds the Set-Cookie response header by interpolating the cookie path, domain and same_site attributes directly into the header string without validating the ; character. Any Plug application that reflects attacker-controlled data into a cookie attribute lets an unauthenticated attacker inject additional cookie attributes through ;. Plug already handles and null bytes accordingly, so header injection is not possible.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

plug is vulnerable to Cookie Attribute Injection in versions 0.1.0 - 1.16.5, 1.17.0 - 1.17.3, 1.18.0 - 1.18.4, 1.19.0 - 1.19.4 and 1.20.0 - 1.20.2.

How to fix this

Upgrade the plug library to the patch version.