8.2
CVE-2026-44487
- EPSS 0.69%
- Veröffentlicht 11.06.2026 15:38:25
- Zuletzt bearbeitet 09.07.2026 13:17:17
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.69% | 0.482 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 8.2 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-201 Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
https://bugzilla.redhat.com/show_bug.cgi?id=2487948
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44487.json
https://access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:26234
https://access.redhat.com/errata/RHSA-2026:33574
https://access.redhat.com/errata/RHSA-2026:29197
https://access.redhat.com/errata/RHSA-2026:30651
https://access.redhat.com/errata/RHSA-2026:33155
https://access.redhat.com/errata/RHSA-2026:33160
https://access.redhat.com/errata/RHSA-2026:33163
https://access.redhat.com/errata/RHSA-2026:33173
https://access.redhat.com/errata/RHSA-2026:33183
https://access.redhat.com/errata/RHSA-2026:34374
https://access.redhat.com/errata/RHSA-2026:30650
https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v
https://access.redhat.com/errata/RHSA-2026:27044
https://access.redhat.com/errata/RHSA-2026:27063
https://access.redhat.com/errata/RHSA-2026:28964
https://access.redhat.com/errata/RHSA-2026:29082
https://access.redhat.com/errata/RHSA-2026:29864
https://access.redhat.com/errata/RHSA-2026:34525
https://access.redhat.com/errata/RHSA-2026:34527
https://access.redhat.com/errata/RHSA-2026:34530
https://access.redhat.com/security/cve/CVE-2026-44487
https://access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:36754
https://access.redhat.com/errata/RHSA-2026:36883