CVE-2026-44431

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-44431
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44431.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-44431
Aliases
Downstream
Related
Published
2026-05-13T15:20:24.588Z
Modified
2026-05-20T08:11:57.174274131Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
Details

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connectionfromurl().urlopen(..., assertsamehost=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

Database specific 
{
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44431.json"
}
References

Affected packages

Git / github.com/urllib3/urllib3

Affected ranges

Type
GIT
Repo
https://github.com/urllib3/urllib3
Events
Introduced
7c216f433e39e184b84cbfa49e41135a89e4baa0
Fixed
9a950b92d999f906b6020bb2d1076ee56cddd5d2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44431.json"