Cross-Origin Redirect Issue in urllib3 HTTP Client Library
CVE-2026-44431

8.2HIGH

Key Information:

Vendor: Urllib3
Status: Urllib3
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-44431?

The urllib3 HTTP client library for Python contains a cross-origin redirect vulnerability that affects versions 1.23 up to 2.7.0. When using the low-level API through ProxyManager.connection_from_url(), if assert_same_host is set to False, sensitive headers may inadvertently be forwarded during cross-origin redirects. This issue can lead to unintended exposure of user data. Users are advised to upgrade to version 2.7.0 or later to mitigate this risk.

Affected Version(s)

urllib3 >= 1.23, < 2.7.0

References

https://github.com/urllib3/urllib3/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44431 Data

JSON

Urllib3

What is CVE-2026-44431?

Affected Version(s)

References

CVSS V4

Timeline