Axios HTTP Proxy-Authorization Header Leak via Redirection v0.32.0/1.16.0
CVE-2026-44487 Published on June 11, 2026
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axioss Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.
Vulnerability Analysis
CVE-2026-44487 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-44487. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).
Products Associated with CVE-2026-44487
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-44487 are published in these products:
Affected Versions
axios:- Version >= 1.0.0, < 1.16.0 is affected.
- Version < 0.32.0 is affected.
- Version 1782157085 and below * is unaffected.
- Version 1783348181 and below * is unaffected.
- Version 1782157514 and below * is unaffected.
- Version 1783451729 and below * is unaffected.
- Version 1779293013 and below * is unaffected.
- Version 1779371594 and below * is unaffected.
- Version 1782761510 and below * is unaffected.
- Version 1783448184 and below * is unaffected.
- Version 1781187342 and below * is unaffected.
- Version 1782761244 and below * is unaffected.
- Version 1782166952 and below * is unaffected.
- Version 1782127091 and below * is unaffected.
- Version 1782244020 and below * is unaffected.
- Version 1782171032 and below * is unaffected.
- Version 1781695012 and below * is unaffected.
- Version 1781731914 and below * is unaffected.
- Version 1782498475 and below * is unaffected.
- Version 1782498792 and below * is unaffected.
- Version 1781937133 and below * is unaffected.
- Version 1782287580 and below * is unaffected.
- Version 1782201894 and below * is unaffected.
- Version 1782201833 and below * is unaffected.
- Version 1782201696 and below * is unaffected.
- Version 1782201537 and below * is unaffected.
- Version 1782201851 and below * is unaffected.
- Version 1782201812 and below * is unaffected.
- Version 1782231869 and below * is unaffected.
- Version 1782201466 and below * is unaffected.
- Version 1781174698 and below * is unaffected.
- Version 1782253070 and below * is unaffected.
- Version 1782243376 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.