Description
The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.
Published: 2026-05-14
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RedirectHandler middleware in the Kiota libraries fails to remove Cookie, Proxy-Authorization, and any custom headers when following HTTP 3xx redirects to a different host or scheme. It only removes the Authorization header, permitting the attacker to gain unauthorized access to credential information and session data that is forwarded to a foreign destination. This flaw falls under CWE‑601, which describes the risk of using client‑side redirects to leak data to untrusted hosts.

Affected Systems

Affected vendors include Microsoft, with libraries for Java, Go, TypeScript, and other Kiota abstractions. The specific product identified in the description is com.microsoft.kiota:microsoft-kiota-http-okHttp version 1.9.0, and analogous versions of the Kiota libraries across languages share the same flaw.

Risk and Exploitability

The CVSS score of 7 indicates a high potential for damage, while the EPSS score is not available, making the current exploitation probability uncertain. The vulnerability is not listed in the CISA KEV catalog. A likely attack vector involves a server‑side request that initiates a redirect to an attacker‑controlled host; the redirect handler then forwards sensitive headers to that host, enabling credential theft or session hijacking. Proper input validation and header sanitization are required to mitigate the exploitation path.

Generated by OpenCVE AI on May 14, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Kiota libraries to the latest vendor release that includes the header‑leak fix.
  • Disable automatic HTTP redirects in client configurations or use a custom redirect handler that explicitly strips sensitive headers before completing the redirect.
  • Configure the application to remove any Cookie, Proxy-Authorization, or custom headers from outgoing requests that redirect to a different host, ensuring only the allowed headers are forwarded.

Generated by OpenCVE AI on May 14, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7j59-v9qr-6fq9 Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.
Title Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T19:51:10.682Z

Reserved: 2026-05-06T18:28:20.886Z

Link: CVE-2026-44503

cve-icon Vulnrichment

Updated: 2026-05-14T18:02:18.424Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T16:16:24.223

Modified: 2026-05-14T20:17:08.177

Link: CVE-2026-44503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T17:45:25Z

Weaknesses