PatchSiren cyber security CVE debrief
CVE-2026-44487 axios CVE debrief
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy.
- Vendor
- axios
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-12
Who should care
Users of Axios in Node.js environments, especially those using authenticated HTTP proxies.
Technical summary
Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows.
Defensive priority
HIGH
Recommended defensive actions
- Update Axios to version 0.32.0 or 1.16.0 or later.
- Review and adjust proxy configurations to prevent unintended credential exposure.
Evidence notes
Fixed in 0.32.0 and 1.16.0.
Official resources
-
CVE-2026-44487 CVE record
CVE.org
-
CVE-2026-44487 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory, Mitigation
CVE-2026-44487 was published on [cvePublishedAt].