Medium severity5.3GHSA Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-44431

Description

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

Affected products

Urllib3/Urllib3GHSA
Range: >= 1.23, < 2.7.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-qccp-gfcp-xxvcghsaADVISORY
github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvcnvdMitigationVendor Advisory
nvd.nist.gov/vuln/detail/CVE-2026-44431ghsa

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000