VYPR
High severityGHSA Advisory· Published May 14, 2026· Updated May 14, 2026

CVE-2026-44503

CVE-2026-44503

Description

The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.microsoft.kiota:microsoft-kiota-abstractionsMaven
< 1.9.11.9.1
Microsoft.Kiota.AbstractionsNuGet
< 1.22.01.22.0
microsoft-kiota-httpPyPI
< 1.9.91.9.9
kiota-typescriptnpm
< 1.0.0-preview.1001.0.0-preview.100
github.com/microsoft/kiota-http-goGo
< 1.5.51.5.5

Affected products

44

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.