Bug 2487947 (CVE-2026-44486) - CVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via HTTP redirects
Summary: CVE-2026-44486 axios: Axios: Information disclosure of proxy credentials via ...
Keywords:
Status: NEW
Alias: CVE-2026-44486
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2488182 2488183 2488184 2488187 2488191 2488192 2488193 2488194 2488196 2488198 2488199 2488200 2488201
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-11 17:01 UTC by OSIDB Bzimport
Modified: 2026-06-12 01:06 UTC (History)
120 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-11 17:01:53 UTC 
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.
Note You need to log in before you can comment on or make changes to this bug.