Home > Vulnerability Database > CVE-2026-21697

Mend.io Vulnerability Database

CVE-2026-21697

Good to know:

Date: January 7, 2026

axios4go is a Go HTTP client library. Prior to version 0.6.4, a race condition vulnerability exists in the shared HTTP client configuration. The global "defaultClient" is mutated during request execution without synchronization, directly modifying the shared "http.Client"'s "Transport", "Timeout", and "CheckRedirect" properties. Impacted applications include that that use axios4go with concurrent requests (multiple goroutines, "GetAsync", "PostAsync", etc.), those where different requests use different proxy configurations, and those that handle sensitive data (authentication credentials, tokens, API keys). Version 0.6.4 fixes this issue.

Severity Score

7.5

Related Resources (5)

Url: https://github.com/rezmoss/axios4go/commit/b651604c64e66a115ab90cdab358b0181d74a842

Url: https://github.com/rezmoss/axios4go/security/advisories/GHSA-cmj9-27wj-7x47

Url: https://github.com/rezmoss/axios4go/releases/tag/v0.6.4

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21697

Url: https://www.mend.io/vulnerability-database/CVE-2026-21697

Severity Score

7.5

Weakness Type (CWE)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

Top Fix

Upgrade Version

Upgrade to version https://github.com/rezmoss/axios4go.git - v0.6.4

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21697

Good to know:

Date: January 7, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?