CVE-2026-44486: Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.
Security readout for executives and security teams
Plain-English summary
CVE-2026-44486 can expose proxy credentials from Node.js applications using Axios. If Axios follows a redirect after using an authenticated proxy, it may send the old Proxy-Authorization header to the redirected site. The main business risk is credential disclosure, not system takeover.
Executive priority
Treat as a high-priority credential exposure issue for server-side applications. Prioritize internet-facing or partner-integrating services that make outbound Axios requests through authenticated proxies.
Technical view
Affected Axios versions before 0.32.0 and 1.16.0 can retain a Proxy-Authorization header across redirects when the redirected request is no longer sent through the proxy. Scope is Axios Node.js HTTP adapter with authenticated proxy configuration and automatic redirects. Browser adapters are not affected.
Likely exposure
Exposure is most likely in server-side Node.js services using affected Axios versions with authenticated proxies and redirect following enabled. Browser-only Axios use is not affected according to the source bundle.
Exploitation context
The source bundle marks KEV as false and does not cite active exploitation. The vulnerability is remotely reachable in vulnerable request flows, but exploitation depends on a redirect path receiving the stale proxy credential header.
Researcher notes
Evidence is specific to Axios Node.js HTTP adapter behavior. The sources name fixed versions and affected ranges, but do not provide active exploitation evidence, exploit code status, or a complete downstream product inventory.
Mitigation direction
Upgrade Axios to 0.32.0 or 1.16.0 or later.
Inventory Node.js dependency trees for affected Axios ranges.
Prioritize services using authenticated proxies and automatic redirects.
Check Red Hat advisories for packaged or bundled Axios exposure.
Rotate proxy credentials if disclosure is suspected.
Validation and detection
Confirm deployed Axios versions are not in affected ranges.
Identify Node.js services using Axios with authenticated proxy configuration.
Verify redirect-following behavior in relevant outbound request paths.
Confirm browser-only Axios usage is excluded from impact.
Review logs for unexpected Proxy-Authorization disclosure indicators.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-200: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
CWE-201: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-200 · source CWE mapping
Exposure of Sensitive Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Insertion of Sensitive Information Into Sent Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.