CVE-2026-44503— Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44503
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
Source: NVD (National Vulnerability Database)
Vulnerability Description
The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| microsoft | kiota-java | < 1.9.1 | - | |
| microsoft | Microsoft.Kiota.Abstractions | < 1.22.0 | - | |
| microsoft | github.com/microsoft/kiota-http-go | < 1.5.5 | - | |
| microsoft | kiota-typescript | < 1.0.0-preview.100 | - | |
| microsoft | microsoft-kiota-abstractions | < 1.9.1 | - | |
| microsoft | microsoft-kiota-http | < 1.9.9 | - |
II. Public POCs for CVE-2026-44503
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44503
请登录查看更多情报信息。
Same Patch Batch · microsoft · 2026-05-14 · 3 CVEs total
| CVE-2026-41615 | 9.6 CRITICAL | Microsoft Authenticator Information Disclosure Vulnerability |
| CVE-2026-42897 | 8.1 HIGH | Microsoft Exchange Server Spoofing Vulnerability |
IV. Related Vulnerabilities
Same vendor: microsoft
- CVE-2026-46383
Microsoft APM: Windows absolute-path tar member overwrite du - CVE-2026-45539
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agen - CVE-2026-44641
Microsoft APM: plugin.json component paths escape plugin roo - CVE-2026-41615
Microsoft Authenticator Information Disclosure Vulnerability - CVE-2026-42897
Microsoft Exchange Server Spoofing Vulnerability
Same weakness: CWE-601
- CVE-2026-42207
Magento LTS: Open Redirect via Unvalidated `uenc` Parameter - CVE-2026-44427
MCP Registry: Open Redirect - CVE-2026-44520
Docling-Graph: SSRF via Missing Internal IP Validation in UR - CVE-2026-45448
ntopng - CWE-601: URL Redirection to Untrusted Site ('Open R - CVE-2026-44372
Nitro: Open Redirect via Protocol-Relative URL Bypass in Wil
V. Comments for CVE-2026-44503
No comments yet