Cross-Origin Redirect Vulnerability in Microsoft Kiota API Client Library
CVE-2026-49336

5.5MEDIUM

Key Information:

Vendor: Microsoft
Status: Kiota-typescript
Vendor: CVE Published:; 19 June 2026

What is CVE-2026-49336?

A flaw in the @microsoft/kiota-http-fetchlibrary allows sensitive headers including Authorization and Cookie to be sent to untrusted redirect targets during cross-origin 30x redirects. This vulnerability arises due to a case-sensitive deletion approach in the RedirectHandler, which fails to remove headers effectively due to case mismatches after lower-casing, thereby exposing authentication tokens to potential attackers. This affects all kiota-generated TypeScript SDKs using certain authentication providers like BaseBearerTokenAuthenticationProvider without required custom configurations, necessitating immediate updates to version 1.0.0-preview.102.

Affected Version(s)

kiota-typescript >= 1.0.0-preview.97, < 1.0.0-preview.102

References

https://github.com/microsoft/kiota-typescript/security/ad...

x_refsource_CONFIRM

https://github.com/microsoft/kiota-typescript/commit/09f8...

x_refsource_MISC

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
May 29, 2026

CVE-2026-49336 Data

JSON