CVE-2026-44503

Name of the Vulnerable Software and Affected Versions microsoft-kiota-http-okHttp versions 1.9.0 and earlier kiota-dotnet (affected versions not specified) kiota-java (affected versions not specified) kiota-python (affected versions not specified) kiota-typescript (affected versions not specified) kiota-http-go (affected versions not specified)

Description The RedirectHandler middleware fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. While the Authorization header is removed, other sensitive headers including Cookie, Proxy-Authorization, and custom headers are forwarded to the redirect target. This occurs within the getRedirect() function. An attacker capable of triggering a cross-origin redirect from a trusted API could capture session cookies, proxy credentials, and API keys from the redirected request, potentially leading to session hijacking or credential theft.

Recommendations Update microsoft-kiota-http-okHttp to a version later than 1.9.0. At the moment, there is no information about a newer version that contains a fix for this vulnerability for kiota-dotnet, kiota-java, kiota-python, kiota-typescript, and kiota-http-go.