PatchSiren cyber security CVE debrief

CVE-2026-44490 axios CVE debrief

Axios, a promise-based HTTP client for the browser and Node.js, is vulnerable to prototype pollution. This vulnerability, CVE-2026-44490, allows attackers to pollute the Object.prototype, potentially leading to security issues. The vulnerability exists in versions prior to 0.32.0 and 1.16.0. Axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process, axios silently picks up the polluted values.

Vendor: axios
Product: Unknown
CVSS: MEDIUM 4.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-11
Original CVE updated: 2026-06-11
Advisory published: 2026-06-11
Advisory updated: 2026-06-11

Who should care

Developers and users of Axios, especially those using versions prior to 0.32.0 and 1.16.0, should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability is caused by two issues in Axios. The first issue is in lib/utils.js, where the merge() function's accumulator is built as an empty object, allowing polluted values from Object.prototype to be copied into the merged headers. The second issue is in lib/core/mergeConfig.js, where the hasOwnProperty descriptor is built as a plain-object literal, allowing polluted Object.prototype.get or Object.prototype.set to cause a TypeError on every axios request.

Defensive priority

MEDIUM

Recommended defensive actions

Update Axios to version 0.32.0 or 1.16.0 or later.
Review and update dependencies to prevent upstream pollution.

Evidence notes

The CVE-2026-44490 vulnerability has a CVSS score of 4.8 and is classified as MEDIUM severity. The vulnerability was published on 2026-06-11T17:16:33.027Z and modified on 2026-06-11T20:56:29.653Z.

Official resources

CVE-2026-44490 was published on 2026-06-11T17:16:33.027Z and modified on 2026-06-11T20:56:29.653Z.