Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
CVE-2026-44487

8.2HIGH

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-44487?

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.

Affected Version(s)

axios >= 1.0.0, < 1.16.0 < 1.0.0, 1.16.0

axios < 0.32.0 < 0.32.0

References

https://github.com/axios/axios/security/advisories/GHSA-p...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44487 Data

JSON

AxiOS

What is CVE-2026-44487?

Affected Version(s)

References

CVSS V4

Timeline