PatchSiren cyber security CVE debrief
CVE-2026-44486 axios CVE debrief
A vulnerability in Axios' Node.js HTTP adapter can cause proxy credentials to be leaked to a redirect target. This issue affects Axios versions prior to 0.32.0 and 1.16.0 when used with automatic redirects enabled and an authenticated proxy configuration.
- Vendor
- axios
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-13
Who should care
Users of Axios in Node.js environments who utilize automatic redirects and authenticated proxy configurations should be aware of this vulnerability.
Technical summary
Axios' Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target.
Defensive priority
HIGH
Recommended defensive actions
- Update Axios to version 0.32.0 or 1.16.0 or later to fix the vulnerability.
- Review and adjust proxy configurations to minimize exposure.
- Monitor for and restrict unauthorized access to sensitive proxy credentials.
Evidence notes
This vulnerability is fixed in Axios versions 0.32.0 and 1.16.0. Browser adapters are not affected.
Official resources
-
CVE-2026-44486 CVE record
CVE.org
-
CVE-2026-44486 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
CVE-2026-44486 was published on [2026-06-11T17:16:32.450Z](https://www.cve.org/CVERecord?id=CVE-2026-44486) and modified on [2026-06-13T03:16:20.647Z](https://nvd.nist.gov/vuln/detail/CVE-2026-44486).