Description
@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross-origin redirect targets, but the default `scrubSensitiveHeaders` callback in `RedirectHandlerOptions` uses case-sensitive property deletion (`delete headers.Authorization`, `delete headers.Cookie`) on a headers object that `FetchRequestAdapter.getRequestFromRequestInformation` has already lower-cased. The delete therefore targets keys that do not exist, the scrub is a no-op, and any Bearer token or Cookie attached by a kiota-generated SDK is forwarded to an attacker-controlled host across a 30x redirect. This is reachable in the default middleware chain (`MiddlewareFactory.getDefaultMiddlewares`) with no custom configuration, and applies to every kiota-generated TypeScript SDK that uses `BaseBearerTokenAuthenticationProvider` or any other authentication provider that sets the `Authorization` request header. Version 1.0.0-preview.102 patches the issue.
Published: 2026-06-19
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when @microsoft/kiota-http-fetchlibrary fails to scrub sensitive authentication headers during cross‑origin redirects. The default case‑sensitive delete operations target header names that have already been lower‑cased, so the Authorization and Cookie headers survive the redirect. An attacker who controls the redirect target can receive the bearer token or cookie sent by a Kiota‑generated SDK, enabling credential theft or session hijacking. The flaw is not an execution or denial‑of‑service issue; it is an unintended disclosure of authentication information.

Affected Systems

Microsoft’s Kiota TypeScript libraries are affected, specifically the cleanup logic in versions 1.0.0‑preview.97 through 1.0.0‑preview.101. Any Kiota‑generated SDK that utilizes the BaseBearerTokenAuthenticationProvider or otherwise sets the Authorization header, including those using cookie‑based authentication, falls under this scope. The issue is present in the default middleware chain and is fixed starting with version 1.0.0‑preview.102.

Risk and Exploitability

The CVSS score of 5.5 places the flaw in the Moderate range. No EPSS score is available, and the vulnerability is not listed in the CISA KEV. The attack vector is limited to application code that performs a fetch request to an attacker‑controlled host and receives a 30x redirect. Because the problematic code is enabled by default and requires no custom configuration, any application using these SDKs could be compromised if it makes cross‑origin redirects. The risk is therefore moderate but real for systems that might redirect requests to untrusted hosts.

Generated by OpenCVE AI on June 19, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kiota TypeScript library to version 1.0.0‑preview.102 or later
  • If upgrading is not immediately possible, modify the RedirectHandlerOptions.scrubSensitiveHeaders callback to delete the lower‑cased keys (e.g., "authorization" and "cookie")
  • Re‑evaluate any use of cross‑origin redirects in the application and remove or restrict them for requests that carry sensitive authentication headers

Generated by OpenCVE AI on June 19, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft kiota-typescript
Vendors & Products Microsoft
Microsoft kiota-typescript

Fri, 19 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description @microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross-origin redirect targets, but the default `scrubSensitiveHeaders` callback in `RedirectHandlerOptions` uses case-sensitive property deletion (`delete headers.Authorization`, `delete headers.Cookie`) on a headers object that `FetchRequestAdapter.getRequestFromRequestInformation` has already lower-cased. The delete therefore targets keys that do not exist, the scrub is a no-op, and any Bearer token or Cookie attached by a kiota-generated SDK is forwarded to an attacker-controlled host across a 30x redirect. This is reachable in the default middleware chain (`MiddlewareFactory.getDefaultMiddlewares`) with no custom configuration, and applies to every kiota-generated TypeScript SDK that uses `BaseBearerTokenAuthenticationProvider` or any other authentication provider that sets the `Authorization` request header. Version 1.0.0-preview.102 patches the issue.
Title @microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter
Weaknesses CWE-178
CWE-200
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Microsoft Kiota-typescript
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T18:19:03.222Z

Reserved: 2026-05-29T14:35:45.902Z

Link: CVE-2026-49336

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-178

    Improper Handling of Case Sensitivity

  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor