Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
CVE-2026-44494

8.7HIGH

Key Information:

Vendor: AxiOS
Status: AxiOS
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-44494?

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

Affected Version(s)

axios >= 1.0.0, < 1.16.0

References

https://github.com/axios/axios/security/advisories/GHSA-3...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44494 Data

JSON

AxiOS

What is CVE-2026-44494?

Affected Version(s)

References

CVSS V3.1

Timeline