Information disclosure in axios - CVE-2026-44486
Published: May 31, 2026
Vulnerability identifier: #VU133097
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-44486
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: axios
Affected software:
axios
axios
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper handling of sensitive headers in the Node.js HTTP adapter in lib/adapters/http.js when following redirects after proxy settings are re-evaluated from an authenticated proxy to a direct connection. A remote attacker can cause the application to follow a crafted redirect so that proxy credentials are sent to the redirect target to disclose sensitive information.
Only the Node.js HTTP adapter is affected, and exploitation requires automatic redirects to be enabled with an authenticated proxy configuration.
How to mitigate CVE-2026-44486
Install security update from vendor's website.