High severityGHSA Advisory· Published May 14, 2026· Updated May 14, 2026
CVE-2026-44503
CVE-2026-44503
Description
The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.microsoft.kiota:microsoft-kiota-abstractionsMaven | < 1.9.1 | 1.9.1 |
Microsoft.Kiota.AbstractionsNuGet | < 1.22.0 | 1.22.0 |
microsoft-kiota-httpPyPI | < 1.9.9 | 1.9.9 |
kiota-typescriptnpm | < 1.0.0-preview.100 | 1.0.0-preview.100 |
github.com/microsoft/kiota-http-goGo | < 1.5.5 | 1.5.5 |
Affected products
44- Range: < 1.5.5
- osv-coords43 versionspkg:apk/chainguard/authentik-2025.12pkg:apk/chainguard/authentik-2026.2pkg:apk/chainguard/authentik-fips-2025.12pkg:apk/chainguard/authentik-fips-2026.2pkg:apk/chainguard/azure-service-operatorpkg:apk/chainguard/azure-service-operator-fipspkg:apk/chainguard/cloudbeat-8.17pkg:apk/chainguard/cloudbeat-8.19pkg:apk/chainguard/cloudbeat-9.0pkg:apk/chainguard/cloudbeat-9.1pkg:apk/chainguard/cloudbeat-9.2pkg:apk/chainguard/cloudbeat-9.3pkg:apk/chainguard/cloudbeat-fips-8.17pkg:apk/chainguard/cloudbeat-fips-8.19pkg:apk/chainguard/cloudbeat-fips-9.0pkg:apk/chainguard/cloudbeat-fips-9.1pkg:apk/chainguard/cloudbeat-fips-9.2pkg:apk/chainguard/cloudbeat-fips-9.3pkg:apk/chainguard/rancher-2.10pkg:apk/chainguard/rancher-2.11pkg:apk/chainguard/rancher-2.12pkg:apk/chainguard/rancher-2.13pkg:apk/chainguard/rancher-agent-2.10pkg:apk/chainguard/rancher-agent-2.11pkg:apk/chainguard/rancher-agent-2.12pkg:apk/chainguard/rancher-agent-2.13pkg:apk/chainguard/vault-1.16pkg:apk/chainguard/vault-2.0pkg:apk/chainguard/vault-fips-2.0pkg:apk/wolfi/azure-service-operatorpkg:apk/wolfi/rancher-2.10pkg:apk/wolfi/rancher-2.11pkg:apk/wolfi/rancher-2.12pkg:apk/wolfi/rancher-2.13pkg:apk/wolfi/rancher-agent-2.10pkg:apk/wolfi/rancher-agent-2.11pkg:apk/wolfi/rancher-agent-2.12pkg:apk/wolfi/rancher-agent-2.13pkg:golang/github.com/microsoft/kiota-http-gopkg:maven/com.microsoft.kiota/microsoft-kiota-abstractionspkg:npm/kiota-typescriptpkg:nuget/microsoft.kiota.abstractionspkg:pypi/microsoft-kiota-http
< 2025.12.4-r9+ 42 more
- (no CPE)range: < 2025.12.4-r9
- (no CPE)range: < 2026.2.1-r9
- (no CPE)range: < 2025.12.4-r7
- (no CPE)range: < 2026.2.1-r7
- (no CPE)range: < 2.19.0-r0
- (no CPE)range: < 2.19.0-r0
- (no CPE)range: < 8.17.10-r16
- (no CPE)range: < 8.19.13-r13
- (no CPE)range: < 9.0.8-r18
- (no CPE)range: < 9.1.10-r11
- (no CPE)range: < 9.2.7-r9
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 8.19.13-r11
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.1.10-r15
- (no CPE)range: < 9.2.7-r13
- (no CPE)range: < 9.3.4-r0
- (no CPE)range: < 2.10.11-r10
- (no CPE)range: < 2.11.13-r2
- (no CPE)range: < 2.12.9-r4
- (no CPE)range: < 2.13.5-r1
- (no CPE)range: < 2.10.11-r9
- (no CPE)range: < 2.11.13-r1
- (no CPE)range: < 2.12.9-r2
- (no CPE)range: < 2.13.5-r1
- (no CPE)range: < 1.16.3-r38
- (no CPE)range: < 2.0.0-r1
- (no CPE)range: < 2.0.0-r1
- (no CPE)range: < 2.19.0-r0
- (no CPE)range: < 2.10.11-r10
- (no CPE)range: < 2.11.13-r2
- (no CPE)range: < 2.12.9-r4
- (no CPE)range: < 2.13.5-r1
- (no CPE)range: < 2.10.11-r9
- (no CPE)range: < 2.11.13-r1
- (no CPE)range: < 2.12.9-r2
- (no CPE)range: < 2.13.5-r1
- (no CPE)range: < 1.5.5
- (no CPE)range: < 1.9.1
- (no CPE)range: < 1.0.0-preview.100
- (no CPE)range: < 1.22.0
- (no CPE)range: < 1.9.9
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.