Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect — CVE-2026-44503
GHSA · GitHub · CVE-2026-44503
ID
CVE-2026-44503
CVE-2026-44503
Date
Updated
Activity
Source
GHSA
GHSA
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7
7
Summary
### Summary The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. This vulnerability is present in the RedirectHandlers for: https://github.com/microsoft/kiota-dotnet https://github.com/microsoft/kiota-java…
Product
maven: com.microsoft.kiota:microsoft-kiota-abstractions | nuget: Microsoft.Kiota.Abstractions | pip: microsoft-kiota-http | npm: kiota-typescript | go: github.com/microsoft/kiota-http-go
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.