Skip to main content

urllib3 CVE-2026-44431

HIGH
Information Exposure (CWE-200)
2026-05-11 https://github.com/urllib3/urllib3 GHSA-qccp-gfcp-xxvc
8.2
CVSS 4.0 · Vendor: https://github.com/urllib3/urllib3
Share

Severity by source

Vendor (https://github.com/urllib3/urllib3) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Red Hat
5.9 MEDIUM
qualitative

Primary rating from Vendor (https://github.com/urllib3/urllib3).

CVSS VectorVendor: https://github.com/urllib3/urllib3

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 13, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 13, 2026 - 16:22 NVD
8.2 (HIGH)
Source Code Evidence Fetched
May 11, 2026 - 15:15 vuln.today
Analysis Generated
May 11, 2026 - 15:15 vuln.today
CVE Published
May 11, 2026 - 14:51 nvd
HIGH

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 241 pypi packages depend on urllib3 (84 direct, 159 indirect)

Ecosystem-wide dependent count for version 1.23.

DescriptionCVE.org

Impact

When following cross-origin redirects for requests made using urllib3’s high-level APIs, such as urllib3.request(), PoolManager.request(), and ProxyManager.request(), sensitive headers - Authorization, Cookie, and Proxy-Authorization (defined in Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT) - are stripped by default, as expected.

However, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers.

Affected usage

Applications and libraries using urllib3 versions earlier than 2.7.0 may be affected if they allow cross-origin redirects while making requests through HTTPConnection.urlopen() instances created via ProxyManager.connection_from_url().

Remediation

Upgrade to urllib3 version 2.7.0 or later, in which sensitive headers are stripped from redirects followed by HTTPConnection.

If upgrading is not immediately possible, avoid using this low-level redirect flow for cross-origin redirects. If appropriate for your use case, switch to ProxyManager.request().

AnalysisAI

Sensitive authentication headers (Authorization, Cookie, Proxy-Authorization) leak to unintended domains when urllib3's low-level ProxyManager API follows cross-origin redirects. Applications using ProxyManager.connection_from_url().urlopen() with assert_same_host=False on urllib3 versions 1.23 through 2.6.x inadvertently forward credentials across origins, potentially exposing user sessions or API tokens to third-party servers. Vendor-released patch available in urllib3 2.7.0.

Technical ContextAI

urllib3 is a foundational HTTP client library for Python, used extensively by requests, boto3, and thousands of applications. The vulnerability stems from inconsistent header-stripping logic between urllib3's high-level APIs (PoolManager.request, urllib3.request) and low-level APIs (ProxyManager.connection_from_url). CWE-200 (Information Exposure) applies because the flaw exposes sensitive authentication material during cross-origin HTTP redirects. The high-level APIs correctly implement Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT, which strips Authorization, Cookie, and Proxy-Authorization headers when following redirects to different origins. However, the low-level HTTPConnection.urlopen() path used by ProxyManager.connection_from_url() bypassed this protection when assert_same_host=False was specified, allowing credentials to leak to redirect targets on different domains.

RemediationAI

Upgrade to urllib3 version 2.7.0 or later, which correctly strips sensitive headers from all redirect flows including low-level HTTPConnection paths. If immediate upgrade is not feasible, apply compensating controls: (1) refactor code to use ProxyManager.request() instead of ProxyManager.connection_from_url().urlopen() for redirect scenarios, or (2) set assert_same_host=True to prevent cross-origin redirects entirely (breaks legitimate cross-domain workflows), or (3) manually clear Authorization, Cookie, and Proxy-Authorization headers before each request if cross-origin redirects are possible (high implementation risk). Vendor advisory with complete remediation guidance available at https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc. Note that most applications using urllib3 indirectly through requests or boto3 use high-level APIs and may not require urgent action - audit your codebase for ProxyManager.connection_from_url usage specifically.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Micro 6.0 Fixed
SUSE Linux Micro 6.1 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected

Share

CVE-2026-44431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy