Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
CVE-2026-44489

3.7LOW

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-44489?

Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0.

Affected Version(s)

axios 1.15.2

References

https://github.com/axios/axios/security/advisories/GHSA-6...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44489 Data

JSON

AxiOS

What is CVE-2026-44489?

Affected Version(s)

References

CVSS V3.1

Timeline