CVE-2026-44431

CVSS v4.0

8.2

High

Vector

AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions urllib3 versions 1.23 through 2.6.x

Description Sensitive headers, specifically Authorization, Cookie, and Proxy-Authorization, are forwarded during cross-origin redirects when using the low-level API via ProxyManager.connection from url().urlopen(..., assert same host=False). While high-level APIs like urllib3.request(), PoolManager.request(), and ProxyManager.request() strip these headers by default, the low-level flow fails to do so.

Recommendations Upgrade to version 2.7.0 or later. Avoid using the low-level redirect flow for cross-origin redirects or switch to ProxyManager.request().

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CLEANSTART-2026-AN27706

CLEANSTART-2026-EP51501

CLEANSTART-2026-GH89210

CLEANSTART-2026-HZ86045

CLEANSTART-2026-LZ07533

CLEANSTART-2026-MV15822

CLEANSTART-2026-QK55639

CLEANSTART-2026-UV23635

CVE-2026-44431

ECHO-4544-3B20-7E41

GHSA-QCCP-GFCP-XXVC

OESA-2026-2298

OESA-2026-2299

OESA-2026-2300

OESA-2026-2390

OESA-2026-2391

OPENSUSE-SU-2026:10838-1

PYSEC-2026-141

USN-8379-1

Affected Products

Urllib3

CVE-2026-44431

Weakness Enumeration

Related Identifiers

Affected Products

References · 172