HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44487Published Modified CNA GitHub_M

CVE-2026-44487: Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.

Metrics

CVSS v4.0
8.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a credential leak vulnerability in the Axios Node.js HTTP client. When an application sends a request through an authenticated HTTP proxy and that request is redirected to an HTTPS origin that bypasses the proxy, Axios may forward the Proxy-Authorization header to the destination server, exposing credentials that were intended only for the proxy. Successful exploitation allows a network-positioned attacker to intercept or log those proxy credentials, enabling further unauthorized access. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-44487 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Axios as a dependency.

Available
Triage

Triage is available using the CVSS v4.0 score of 8.2 (HIGH), weighted further by each customer organization's compliance policy to prioritize and route alerts to the appropriate team or inbox inside that environment.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream releases a corrected version of Axios. In the interim, customers can apply compensating controls such as network-policy isolation or egress filtering to reduce exposure of proxy credentials.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be positioned on the network to observe or intercept traffic between the Axios client and the destination origin server over the network.

  • AuthenticationNot required

    No authentication is needed; the attacker passively receives or intercepts the leaked Proxy-Authorization header without any credential of their own.

  • Victim interactionNot required

    No user or victim action is required; the credential leak occurs automatically as part of the redirect-following behavior in the Axios HTTP adapter.

  • Attack complexityDetail

    Although the exploit itself is reliable once in position, a specific redirect shape must be present (an HTTP-to-HTTPS proxy-to-direct redirect) making environmental conditions a factor.

Blast Radius

  • An attacker who receives the leaked Proxy-Authorization header gains the plaintext or encoded credentials used to authenticate to the organization's outbound HTTP proxy.
  • With those proxy credentials, the attacker can authenticate to the proxy independently, routing arbitrary traffic through it and potentially pivoting to internal services reachable via that proxy.
  • Confidentiality of the affected requests is compromised; no data integrity or availability impact is introduced by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-44487 is matched against all images containing affected Axios versions (>=1.0.0 and <1.16.0, or <0.32.0) across connected registries and pipelines. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads the moment Axios 0.32.0 or 1.16.0 is published. While waiting for an upstream fix, customers are encouraged to consider compensating controls such as restricting network egress for affected services, applying Kubernetes NetworkPolicy rules to isolate proxy traffic paths, or disabling proxy authentication where not strictly required in lower-risk environments. Alerts are routed according to each customer's compliance policy weighting, so teams working under stricter credential-handling requirements will see this surfaced at elevated priority.

See how HarborGuard automates this
Affected packages
  • axios / axios
    >= 1.0.0, < 1.16.0 · < 0.32.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References