CVE-2026-44431
Published:May 11, 2026
Updated:May 12, 2026
Impact When following cross-origin redirects for requests made using urllib3’s high-level APIs, such as "urllib3.request()", "PoolManager.request()", and "ProxyManager.request()", sensitive headers — "Authorization", "Cookie", and "Proxy-Authorization" (defined in "Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT") — are stripped by default, as expected. However, cross-origin redirects followed from the low-level API via "ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)" still forward these sensitive headers. Affected usage Applications and libraries using urllib3 versions earlier than 2.7.0 may be affected if they allow cross-origin redirects while making requests through "HTTPConnection.urlopen()" instances created via "ProxyManager.connection_from_url()". Remediation Upgrade to urllib3 version 2.7.0 or later, in which sensitive headers are stripped from redirects followed by "HTTPConnection". If upgrading is not immediately possible, avoid using this low-level redirect flow for cross-origin redirects. If appropriate for your use case, switch to "ProxyManager.request()".
Affected Packages
urllib3 (CONDA):
Affected version(s) >=1.23 <2.7.0Fix Suggestion:
Update to version 2.7.0urllib3 (PYTHON):
Affected version(s) >=1.23 <2.7.0Fix Suggestion:
Update to version 2.7.0Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor