May 2026: Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host
CVE-2026-44503 Published on May 14, 2026
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.
Weakness Type
What is an Open Redirect Vulnerability?
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
CVE-2026-44503 has been classified to as an Open Redirect vulnerability or weakness.
Affected Versions
microsoft kiota-java:- Version < 1.9.1 is affected.
- Version < 1.22.0 is affected.
- Version < 1.5.5 is affected.
- Version < 1.0.0-preview.100 is affected.
- Version < 1.9.1 is affected.
- Version < 1.9.9 is affected.