Insertion of Sensitive Information Into Sent Data in axios - CVE-2026-44487
Published: May 31, 2026
Vulnerability identifier: #VU133098
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44487
CWE-ID: CWE-201
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: axios
Affected software:
axios
axios
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into sent data in the Node.js HTTP adapter when following an HTTP-to-HTTPS redirect from a proxied request to a direct request. A remote attacker can trigger a crafted redirect flow to disclose sensitive information.
Only Node.js requests using the HTTP adapter are affected, and exploitation requires redirects to be followed and proxy credentials to be configured for the initial HTTP request but not for the redirected HTTPS request.
How to mitigate CVE-2026-44487
Install security update from vendor's website.