Description
urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
Published: 2026-05-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

urllib3 allows a low‑level redirect mechanism to forward sensitive HTTP headers, such as authentication tokens or cookies, to a third‑party origin when the call uses ProxyManager.connection_from_url() with assert_same_host disabled. This results in a confidentiality loss, enabling an attacker to read headers the application intended to keep confined, and is classified as CWE‑200 and CWE‑201.

Affected Systems

All installations of urllib3 from version 1.23 through versions before 2.7.0 are affected. The issue resides in the library’s ProxyManager component that follows low‑level redirects.

Risk and Exploitability

The CVSS score of 8.2 marks the vulnerability as high severity, and the EPSS score of <1% indicates a very low exploitation probability. Exploitation requires an application that uses the vulnerable redirect path and permits assert_same_host=False, which is a non‑common but feasible configuration in many Python web clients. No public exploit has been reported, but the potential to leak sensitive headers makes it a compelling target for attackers with access to the redirecting service. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 26, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade urllib3 to version 2.7.0 or later, which removes the header‑forwarding flaw.
  • If an upgrade is not possible, configure ProxyManager to use assert_same_host=True or avoid the low‑level redirect path entirely.
  • Verify that your proxy settings do not unintentionally expose sensitive request headers to outbound destinations.

Generated by OpenCVE AI on May 26, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qccp-gfcp-xxvc urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
History

Tue, 26 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-201
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 14 May 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python urllib3
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:python:urllib3:*:*:*:*:*:*:*:*
Vendors & Products Python
Python urllib3
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Urllib3
Urllib3 urllib3
Vendors & Products Urllib3
Urllib3 urllib3
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
Title urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Python Urllib3
Urllib3 Urllib3
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T17:17:07.339Z

Reserved: 2026-05-06T14:40:00.954Z

Link: CVE-2026-44431

cve-icon Vulnrichment

Updated: 2026-05-13T17:15:24.639Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T16:16:57.150

Modified: 2026-05-14T13:56:27.263

Link: CVE-2026-44431

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-13T15:20:24Z

Links: CVE-2026-44431 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T01:30:15Z

Weaknesses