CVE-2026-44486

HIGH 7.5

Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.

CWE	CWE-200
Vendor	axios
Product	axios
Published	Jun 11, 2026

Stay Ahead of the Next One

Get instant alerts for axios axios

Be the first to know when new high vulnerabilities affecting axios axios are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

axios / axios

>= 1.0.0, < 1.16.0 < 0.32.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/axios/axios/security/advisories/GHSA-j5f8-grm9-p9fc