How is CVE-2026-44486 exploited?

Network reachability (required): The affected service must be reachable over the network; an attacker controls or compromises a server that acts as a redirect target to receive the leaked header. Authentication (not-required): No authentication against the vulnerable Axios-based application is required; the attacker only needs to be in a position to receive the redirected HTTP request. Victim interaction (not-required): No user or victim interaction is needed; the leak happens automatically when Axios follows a redirect during normal HTTP operation. Attack complexity (info): Exploit conditions are straightforward and reliable: the attacker simply needs to control or observe the redirect target server, with no race conditions or special memory layout required.

What is the impact of CVE-2026-44486?

The redirect target server receives the raw Proxy-Authorization header value, exposing the proxy credentials (typically a username and password encoded in Base64) in the HTTP request headers. An attacker holding those proxy credentials can authenticate to the organization's proxy infrastructure and route arbitrary traffic through it, potentially reaching internal network segments. Proxy credential exposure may allow pivoting to other internal services or systems that trust traffic originating from the corporate proxy.

Back to search

HIGHCVE-2026-44486Published 2026-06-11Modified 2026-06-13CNA GitHub_M

CVE-2026-44486: Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Q: Is CVE-2026-44486 patched?

Because no upstream fix version has been published yet, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment axios 0.32.0 or 1.16.0 (or later) is released upstream. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically once a fix version is confirmed.

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sensitive-header-leak vulnerability in the Axios HTTP client library (Node.js adapter). When a request is routed through an authenticated proxy and Axios follows a redirect that resolves to a direct connection (bypassing the proxy), the Proxy-Authorization header is not stripped before the redirected request is sent, exposing proxy credentials to the redirect target server. Successful exploitation allows an attacker-controlled or compromised redirect target to read the proxy credentials in cleartext. No patched upstream release is currently published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images containing an affected axios version, including custom-built Node.js images that bundle the library directly. Any image with axios >= 1.0.0 and < 1.16.0, or any 0.x release < 0.32.0, is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and weights it against each customer environment's compliance policy to determine priority and routing. The resulting alert is dispatched to the team or inbox configured for the affected workload within the customer org.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment axios 0.32.0 or 1.16.0 (or later) is released upstream. For customers who opt into auto-remediation, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The affected service must be reachable over the network; an attacker controls or compromises a server that acts as a redirect target to receive the leaked header.
AuthenticationNot required
No authentication against the vulnerable Axios-based application is required; the attacker only needs to be in a position to receive the redirected HTTP request.
Victim interactionNot required
No user or victim interaction is needed; the leak happens automatically when Axios follows a redirect during normal HTTP operation.
Attack complexityDetail
Exploit conditions are straightforward and reliable: the attacker simply needs to control or observe the redirect target server, with no race conditions or special memory layout required.

Blast Radius

The redirect target server receives the raw Proxy-Authorization header value, exposing the proxy credentials (typically a username and password encoded in Base64) in the HTTP request headers.
An attacker holding those proxy credentials can authenticate to the organization's proxy infrastructure and route arbitrary traffic through it, potentially reaching internal network segments.
Proxy credential exposure may allow pivoting to other internal services or systems that trust traffic originating from the corporate proxy.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for this CVE exists yet, HarborGuard continuously monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment axios 0.32.0 or 1.16.0 is published upstream. In the interim, compensating controls worth considering include configuring network policy to prevent Axios-based services from following cross-origin redirects, disabling automatic redirect following in axios request configs (maxRedirects: 0) where the application logic permits, and rotating any proxy credentials that may have been exposed. For customers who opt into auto-remediation, HarborGuard will trigger a rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as a fix version is confirmed, with a median time from CVE publication to merged patch PR for high-severity issues of around 90 minutes for environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

axios / axios
>= 1.0.0, < 1.16.0 · < 0.32.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc

Metrics

Get notified