CVE-2026-44487

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v	Exploit Vendor Advisory Mitigation
https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v	Exploit Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:axios:axios::::::node.js::*
	cpe:2.3:a:axios:axios::::::node.js::*

History

12 Jun 2026, 19:19

Type	Values Removed	Values Added
References	~~() https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v -~~	() https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v - Exploit, Vendor Advisory, Mitigation
First Time		Axios axios Axios
CPE		cpe:2.3:a:axios:axios::::::node.js::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

11 Jun 2026, 19:16

Type	Values Removed	Values Added
References	~~() https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v -~~	() https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v -

11 Jun 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-11 17:16

Updated : 2026-06-12 19:19

NVD link : CVE-2026-44487

Mitre link : CVE-2026-44487

CVE.ORG link : CVE-2026-44487

JSON object : View

Products Affected

axios

axios

CWE

CWE-201

Insertion of Sensitive Information Into Sent Data

{"id": "CVE-2026-44487", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-06-11T17:16:32.607", "references": [{"url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}, {"url": "https://github.com/axios/axios/security/advisories/GHSA-p92q-9vqr-4j8v", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-201"}]}], "descriptions": [{"lang": "en", "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios\u2019s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0."}], "lastModified": "2026-06-12T19:19:05.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "CC9D9AB4-047A-4638-AF10-7D08587A01C8", "versionEndExcluding": "0.32.0"}, {"criteria": "cpe:2.3:a:axios:axios:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BE82EB7B-A379-416F-9737-4191F720B8C6", "versionEndExcluding": "1.16.0", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}