Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Summary Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that...

RLSA-2026:19176 Important: python3.14 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

PT-2026-44909

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

RockyLinux 10 : python3.14 (RLSA-2026:19019)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19019 advisory. cpython: wsgiref.headers.Headers allows header newline injection in Python CVE-2026-0865 cpython: CPython: Logging Bypass in Legacy .pyc File Handling...

RockyLinux 9 : python3.12 (RLSA-2026:19177)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19177 advisory. expat: libexpat in Expat allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing CVE-2025-59375...

PT-2026-43631

Impact When @hapi/wreck follows a 3xx redirect to a different hostname, only the Authorization and Cookie headers are stripped. The standard credential header Proxy-Authorization is forwarded intact to the redirect target, potentially exposing forward-proxy credentials to a host outside the...

Security update for python312

This update for python312 fixes the following issues CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF bsc1261969. CVE-2026-4786: Incomplete mitigation of %action expansion for command injection to webbrowser.open bsc1262319. CVE-2026-6019: BaseCookie.jsoutput does not...

CVE-2026-7168

A flaw was found in libcurl. When a user performs a transfer over an HTTP proxy using Digest authentication and then reuses the same handle for a second transfer with a different proxy host, libcurl incorrectly sends the Proxy-Authorization header intended for the first proxy to the second proxy...

ALSA-2026:19064 Important: python3.12 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

curl: Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers

Summary: libcurl's connection pool match logic does not include the CURLOPTHAPROXYPROTOCOL setting or the CURLOPTHAPROXYCLIENTIP value in its connection match key. Two transfers issued through the same Curleasy or via a shared connection cache CURLLOCKDATACONNECT therefore share one TCP connectio...

CVE-2026-7168

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

CVE-2026-7168 cross-proxy Digest auth state leak

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

CVE-2026-7168

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

CVE-2026-7168

Successfully using libcurl to do a transfer over a specific HTTP proxy proxyA with Digest authentication and then changing the proxy host to a second one proxyB for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to...

curl 安全漏洞

curl is an open-source tool developed by cURL for transferring data from a server or to a server. Curl has a security vulnerability, which stems from an error in passing the proxy authentication header. This error may cause the Proxy-Authorization header from the first proxy to be incorrectly...

EUVD-2026-29492

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are se...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: golang (UTSA-2026-016822)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016822 advisory. Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. Tenable has extracted the preceding...

Unity Linux 20.1050e / 20.1070e Security Update: etcd (UTSA-2026-016819)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016819 advisory. Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information. Tenable has extracted the preceding...

PT-2026-38371

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.133.Final Netty versions prior to 4.2.13.Final Description Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage function creates headers using...

RHCOS 4 : OpenShift Container Platform 4.8.9 (RHSA-2021:3248)

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3248 advisory. - golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header CVE-2021-31525 - golang: net: lookup...