7

CVE-2026-44495

Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge

Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. This vulnerability is fixed in 0.31.1 and 1.15.2.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2.6 for RHEL 9
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Advanced Cluster Management for Kubernetes 2.13
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Advanced Cluster Management for Kubernetes 2.14
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Advanced Cluster Security for Kubernetes 4.10
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Advanced Cluster Security for Kubernetes 4.9
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2.6
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Container Native Virtualization 4.13
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Container Native Virtualization 4.14
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Developer Hub 1.10
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Developer Hub 1.9
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Discovery 2
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.15
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.16
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.20
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4.21
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Dev Spaces 3.29
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Service Mesh 2.6
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Service Mesh 3.0
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Service Mesh 3.1
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Service Mesh 3.2
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Service Mesh 3.3
Default Statusaffected
HerstellerRed Hat
Produkt multicluster engine for Kubernetes 2.8
Default Statusaffected
HerstellerRed Hat
Produkt multicluster engine for Kubernetes 2.9
Default Statusaffected
HerstellerRed Hat
Produkt Migration Toolkit for Applications 8
Default Statusaffected
HerstellerRed Hat
Produkt Migration Toolkit for Containers
Default Statusaffected
HerstellerRed Hat
Produkt Network Observability Operator
Default Statusaffected
HerstellerRed Hat
Produkt OpenShift Pipelines
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat 3scale API Management Platform 2
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat AMQ Broker 7
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Ansible Automation Platform 2
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat build of Apache Camel - HawtIO 4
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat build of Apicurio Registry 3
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Build of Podman Desktop - Tech Preview
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Data Grid 8
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux AI (RHEL AI) 3
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Fuse 7
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift AI (RHOAI)
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Container Platform 4
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Virtualization 4
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Quay 3
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Trusted Artifact Signer
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat Trusted Profile Analyzer
Default Statusaffected
HerstellerRed Hat
Produkt Self-service automation portal 2
Default Statusaffected
HerstellerRed Hat
Produkt Cryostat 4
Default Statusunaffected
HerstellerRed Hat
Produkt Gatekeeper 3
Default Statusunaffected
HerstellerRed Hat
Produkt OpenShift Service Mesh 3
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat build of Apache Camel for Spring Boot 4
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 8
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Enterprise Linux 9
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat OpenShift Dev Spaces
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat Satellite 6
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.387
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7 2.2 4.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7 2.2 4.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes

The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://bugzilla.redhat.com/show_bug.cgi?id=2487937
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44495.json
https://access.redhat.com/errata/RHSA-2026:20889
https://access.redhat.com/errata/RHSA-2026:20938
https://access.redhat.com/errata/RHSA-2026:26234
https://access.redhat.com/errata/RHSA-2026:33574
https://access.redhat.com/errata/RHSA-2026:29197
https://access.redhat.com/errata/RHSA-2026:30651
https://access.redhat.com/errata/RHSA-2026:33155
https://access.redhat.com/errata/RHSA-2026:33160
https://access.redhat.com/errata/RHSA-2026:33163
https://access.redhat.com/errata/RHSA-2026:33173
https://access.redhat.com/errata/RHSA-2026:33183
https://access.redhat.com/errata/RHSA-2026:34374
https://access.redhat.com/errata/RHSA-2026:30650
https://access.redhat.com/errata/RHSA-2026:27044
https://access.redhat.com/errata/RHSA-2026:27063
https://access.redhat.com/errata/RHSA-2026:28964
https://access.redhat.com/errata/RHSA-2026:29082
https://access.redhat.com/errata/RHSA-2026:36108
https://github.com/axios/axios/security/advisories/GHSA-3g43-6gmg-66jw
https://access.redhat.com/errata/RHSA-2026:27944
https://access.redhat.com/errata/RHSA-2026:34160
https://access.redhat.com/security/cve/CVE-2026-44495
https://access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:36882
https://access.redhat.com/errata/RHSA-2026:36754
https://access.redhat.com/errata/RHSA-2026:36883