Vulnerability-Lookup

WID-SEC-W-2026-1513

Vulnerability from csaf_certbund - Published: 2026-05-12 22:00 - Updated: 2026-06-02 22:00

Summary

Kiali für Red Hat OpenShift Service Mesh (Axios, Go, Follow-redirects): Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Kiali für Red Hat OpenShift Service Mesh ausnutzen, um erweiterte Privilegien zu erlangen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren oder offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX

CVE-2026-42033

Affected products

Known affected 14 products

Product	Identifier	Version
Red Hat OpenShift Kiali 2.22.3 Service Mesh 3.3 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.22.3_service_mesh_3.3`	Kiali 2.22.3 Service Mesh 3.3
Red Hat Enterprise Linux 10.0 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Advanced Cluster Security Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:advanced_cluster_security`	Advanced Cluster Security
Red Hat Enterprise Linux 9.6 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6`	9.6
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6
Red Hat OpenShift Kiali 2.11.10 Service Mesh 3.1 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.11.10_service_mesh_3.1`	Kiali 2.11.10 Service Mesh 3.1
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Red Hat Enterprise Linux Quay Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:quay`	Quay
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
Red Hat OpenShift Kiali 2.4.16 Service Mesh 3.0 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.4.16_service_mesh_3.0`	Kiali 2.4.16 Service Mesh 3.0
Red Hat OpenShift Kiali 2.17.7 Service Mesh 3.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.17.7_service_mesh_3.2`	Kiali 2.17.7 Service Mesh 3.2

CVE-2026-42035

Affected products

Known affected 14 products

Product	Identifier	Version
Red Hat OpenShift Kiali 2.22.3 Service Mesh 3.3 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.22.3_service_mesh_3.3`	Kiali 2.22.3 Service Mesh 3.3
Red Hat Enterprise Linux 10.0 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Advanced Cluster Security Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:advanced_cluster_security`	Advanced Cluster Security
Red Hat Enterprise Linux 9.6 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6`	9.6
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6
Red Hat OpenShift Kiali 2.11.10 Service Mesh 3.1 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.11.10_service_mesh_3.1`	Kiali 2.11.10 Service Mesh 3.1
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Red Hat Enterprise Linux Quay Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:quay`	Quay
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
Red Hat OpenShift Kiali 2.4.16 Service Mesh 3.0 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.4.16_service_mesh_3.0`	Kiali 2.4.16 Service Mesh 3.0
Red Hat OpenShift Kiali 2.17.7 Service Mesh 3.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.17.7_service_mesh_3.2`	Kiali 2.17.7 Service Mesh 3.2

CVE-2026-42039

Affected products

Known affected 14 products

Product	Identifier	Version
Red Hat OpenShift Kiali 2.22.3 Service Mesh 3.3 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.22.3_service_mesh_3.3`	Kiali 2.22.3 Service Mesh 3.3
Red Hat Enterprise Linux 10.0 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Advanced Cluster Security Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:advanced_cluster_security`	Advanced Cluster Security
Red Hat Enterprise Linux 9.6 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6`	9.6
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6
Red Hat OpenShift Kiali 2.11.10 Service Mesh 3.1 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.11.10_service_mesh_3.1`	Kiali 2.11.10 Service Mesh 3.1
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Red Hat Enterprise Linux Quay Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:quay`	Quay
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
Red Hat OpenShift Kiali 2.4.16 Service Mesh 3.0 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.4.16_service_mesh_3.0`	Kiali 2.4.16 Service Mesh 3.0
Red Hat OpenShift Kiali 2.17.7 Service Mesh 3.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.17.7_service_mesh_3.2`	Kiali 2.17.7 Service Mesh 3.2

CVE-2026-42041

Affected products

Known affected 14 products

Product	Identifier	Version
Red Hat OpenShift Kiali 2.22.3 Service Mesh 3.3 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.22.3_service_mesh_3.3`	Kiali 2.22.3 Service Mesh 3.3
Red Hat Enterprise Linux 10.0 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Advanced Cluster Security Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:advanced_cluster_security`	Advanced Cluster Security
Red Hat Enterprise Linux 9.6 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6`	9.6
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6
Red Hat OpenShift Kiali 2.11.10 Service Mesh 3.1 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.11.10_service_mesh_3.1`	Kiali 2.11.10 Service Mesh 3.1
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Red Hat Enterprise Linux Quay Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:quay`	Quay
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
Red Hat OpenShift Kiali 2.4.16 Service Mesh 3.0 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.4.16_service_mesh_3.0`	Kiali 2.4.16 Service Mesh 3.0
Red Hat OpenShift Kiali 2.17.7 Service Mesh 3.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.17.7_service_mesh_3.2`	Kiali 2.17.7 Service Mesh 3.2

CVE-2026-42043

Affected products

Known affected 14 products

Product	Identifier	Version
Red Hat OpenShift Kiali 2.22.3 Service Mesh 3.3 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.22.3_service_mesh_3.3`	Kiali 2.22.3 Service Mesh 3.3
Red Hat Enterprise Linux 10.0 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Advanced Cluster Security Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:advanced_cluster_security`	Advanced Cluster Security
Red Hat Enterprise Linux 9.6 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6`	9.6
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6
Red Hat OpenShift Kiali 2.11.10 Service Mesh 3.1 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.11.10_service_mesh_3.1`	Kiali 2.11.10 Service Mesh 3.1
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Red Hat Enterprise Linux Quay Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:quay`	Quay
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
Red Hat OpenShift Kiali 2.4.16 Service Mesh 3.0 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.4.16_service_mesh_3.0`	Kiali 2.4.16 Service Mesh 3.0
Red Hat OpenShift Kiali 2.17.7 Service Mesh 3.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.17.7_service_mesh_3.2`	Kiali 2.17.7 Service Mesh 3.2

CVE-2026-42044

Affected products

Known affected 14 products

Product	Identifier	Version
Red Hat OpenShift Kiali 2.22.3 Service Mesh 3.3 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.22.3_service_mesh_3.3`	Kiali 2.22.3 Service Mesh 3.3
Red Hat Enterprise Linux 10.0 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Advanced Cluster Security Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:advanced_cluster_security`	Advanced Cluster Security
Red Hat Enterprise Linux 9.6 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6`	9.6
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6
Red Hat OpenShift Kiali 2.11.10 Service Mesh 3.1 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.11.10_service_mesh_3.1`	Kiali 2.11.10 Service Mesh 3.1
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Red Hat Enterprise Linux Quay Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:quay`	Quay
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
Red Hat OpenShift Kiali 2.4.16 Service Mesh 3.0 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.4.16_service_mesh_3.0`	Kiali 2.4.16 Service Mesh 3.0
Red Hat OpenShift Kiali 2.17.7 Service Mesh 3.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.17.7_service_mesh_3.2`	Kiali 2.17.7 Service Mesh 3.2

CVE-2026-32280

Affected products

Known affected 14 products

Product	Identifier	Version
Red Hat OpenShift Kiali 2.22.3 Service Mesh 3.3 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.22.3_service_mesh_3.3`	Kiali 2.22.3 Service Mesh 3.3
Red Hat Enterprise Linux 10.0 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Advanced Cluster Security Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:advanced_cluster_security`	Advanced Cluster Security
Red Hat Enterprise Linux 9.6 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6`	9.6
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6
Red Hat OpenShift Kiali 2.11.10 Service Mesh 3.1 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.11.10_service_mesh_3.1`	Kiali 2.11.10 Service Mesh 3.1
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Red Hat Enterprise Linux Quay Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:quay`	Quay
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
Red Hat OpenShift Kiali 2.4.16 Service Mesh 3.0 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.4.16_service_mesh_3.0`	Kiali 2.4.16 Service Mesh 3.0
Red Hat OpenShift Kiali 2.17.7 Service Mesh 3.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.17.7_service_mesh_3.2`	Kiali 2.17.7 Service Mesh 3.2

CVE-2026-40895

Affected products

Known affected 14 products

Product	Identifier	Version
Red Hat OpenShift Kiali 2.22.3 Service Mesh 3.3 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.22.3_service_mesh_3.3`	Kiali 2.22.3 Service Mesh 3.3
Red Hat Enterprise Linux 10.0 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0`	10
Red Hat OpenShift Network Observability 1.11.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:network_observability_1.11.2`	Network Observability 1.11.2
Red Hat Enterprise Linux Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:-`	—
Red Hat Enterprise Linux Advanced Cluster Security Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:advanced_cluster_security`	Advanced Cluster Security
Red Hat Enterprise Linux 9.6 Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6`	9.6
Red Hat Enterprise Linux 9.6 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:9.6_extended_update_support`	9.6 Extended Update Support
Red Hat OpenShift Service Mesh 2.6 Red Hat / OpenShift	`cpe:/a:redhat:openshift:service_mesh_2.6`	Service Mesh 2.6
Red Hat OpenShift Kiali 2.11.10 Service Mesh 3.1 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.11.10_service_mesh_3.1`	Kiali 2.11.10 Service Mesh 3.1
Red Hat Enterprise Linux 10.0 Extended Update Support Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:10.0_extended_update_support`	10.0 Extended Update Support
Red Hat Enterprise Linux Quay Red Hat / Enterprise Linux	`cpe:/o:redhat:enterprise_linux:quay`	Quay
Red Hat OpenShift Dev Spaces <3.28.0 Red Hat / OpenShift		Dev Spaces <3.28.0
Red Hat OpenShift Kiali 2.4.16 Service Mesh 3.0 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.4.16_service_mesh_3.0`	Kiali 2.4.16 Service Mesh 3.0
Red Hat OpenShift Kiali 2.17.7 Service Mesh 3.2 Red Hat / OpenShift	`cpe:/a:redhat:openshift:kiali_2.17.7_service_mesh_3.2`	Kiali 2.17.7 Service Mesh 3.2

References

26 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://access.redhat.com/errata/RHSA-2026:16532	external
https://access.redhat.com/errata/RHSA-2026:16534	external
https://access.redhat.com/errata/RHSA-2026:16535	external
https://access.redhat.com/errata/RHSA-2026:16542	external
https://access.redhat.com/errata/RHSA-2026:16874	external
https://access.redhat.com/errata/RHSA-2026:17287	external
https://access.redhat.com/errata/RHSA-2026:17084	external
https://access.redhat.com/errata/RHSA-2026:17474	external
https://access.redhat.com/errata/RHSA-2026:19109	external
https://access.redhat.com/errata/RHSA-2026:19375	external
https://access.redhat.com/errata/RHSA-2026:19712	external
https://access.redhat.com/errata/RHSA-2026:20338	external
https://access.redhat.com/errata/RHSA-2026:20607	external
https://access.redhat.com/errata/RHSA-2026:20608	external
https://access.redhat.com/errata/RHSA-2026:20609	external
https://access.redhat.com/errata/RHSA-2026:20454	external
https://access.redhat.com/errata/RHSA-2026:20571	external
https://access.redhat.com/errata/RHSA-2026:21017	external
https://access.redhat.com/errata/RHSA-2026:20938	external
https://access.redhat.com/errata/RHSA-2026:20889	external
https://access.redhat.com/errata/RHSA-2026:21772	external
https://access.redhat.com/errata/RHSA-2026:22465	external
https://access.redhat.com/errata/RHSA-2026:22629	external
https://access.redhat.com/errata/RHSA-2026:22619	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Kiali f\u00fcr Red Hat OpenShift Service Mesh ausnutzen, um erweiterte Privilegien zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren oder offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1513 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1513.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1513 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1513"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16532 vom 2026-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:16532"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16534 vom 2026-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:16534"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16535 vom 2026-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:16535"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16542 vom 2026-05-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:16542"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:16874 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:16874"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17287 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:17287"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17084 vom 2026-05-13",
        "url": "https://access.redhat.com/errata/RHSA-2026:17084"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:17474 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:17474"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19109 vom 2026-05-19",
        "url": "https://access.redhat.com/errata/RHSA-2026:19109"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19375 vom 2026-05-20",
        "url": "https://access.redhat.com/errata/RHSA-2026:19375"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:19712 vom 2026-05-21",
        "url": "https://access.redhat.com/errata/RHSA-2026:19712"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20338 vom 2026-05-22",
        "url": "https://access.redhat.com/errata/RHSA-2026:20338"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20607 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:20607"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20608 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:20608"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20609 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:20609"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20454 vom 2026-05-25",
        "url": "https://access.redhat.com/errata/RHSA-2026:20454"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20571 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:20571"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:21017 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:21017"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20938 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:20938"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20889 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:20889"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:21772 vom 2026-05-29",
        "url": "https://access.redhat.com/errata/RHSA-2026:21772"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:22465 vom 2026-06-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:22465"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:22629 vom 2026-06-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:22629"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:22619 vom 2026-06-02",
        "url": "https://access.redhat.com/errata/RHSA-2026:22619"
      }
    ],
    "source_lang": "en-US",
    "title": "Kiali f\u00fcr Red Hat OpenShift Service Mesh (Axios, Go, Follow-redirects): Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-02T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-03T06:02:38.633+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1513",
      "initial_release_date": "2026-05-12T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-05-12T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-19T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-20T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-21T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-25T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-26T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-28T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-06-02T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "9"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Advanced Cluster Security",
                "product": {
                  "name": "Red Hat Enterprise Linux Advanced Cluster Security",
                  "product_id": "T049494",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:advanced_cluster_security"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "10.0 Extended Update Support",
                "product": {
                  "name": "Red Hat Enterprise Linux 10.0 Extended Update Support",
                  "product_id": "T054025",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:10.0_extended_update_support"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "9.6 Extended Update Support",
                "product": {
                  "name": "Red Hat Enterprise Linux 9.6 Extended Update Support",
                  "product_id": "T054028",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:9.6_extended_update_support"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "9.6",
                "product": {
                  "name": "Red Hat Enterprise Linux 9.6",
                  "product_id": "T054657",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:9.6"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "10",
                "product": {
                  "name": "Red Hat Enterprise Linux 10.0",
                  "product_id": "T054693",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:10.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Quay",
                "product": {
                  "name": "Red Hat Enterprise Linux Quay",
                  "product_id": "T054709",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:quay"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Kiali 2.4.16 Service Mesh 3.0",
                "product": {
                  "name": "Red Hat OpenShift Kiali 2.4.16 Service Mesh 3.0",
                  "product_id": "T053978",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:kiali_2.4.16_service_mesh_3.0"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Kiali 2.17.7 Service Mesh 3.2",
                "product": {
                  "name": "Red Hat OpenShift Kiali 2.17.7 Service Mesh 3.2",
                  "product_id": "T053979",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:kiali_2.17.7_service_mesh_3.2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Kiali 2.22.3 Service Mesh 3.3",
                "product": {
                  "name": "Red Hat OpenShift Kiali 2.22.3 Service Mesh 3.3",
                  "product_id": "T053980",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:kiali_2.22.3_service_mesh_3.3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Kiali 2.11.10 Service Mesh 3.1",
                "product": {
                  "name": "Red Hat OpenShift Kiali 2.11.10 Service Mesh 3.1",
                  "product_id": "T053981",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:kiali_2.11.10_service_mesh_3.1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Network Observability 1.11.2",
                "product": {
                  "name": "Red Hat OpenShift Network Observability 1.11.2",
                  "product_id": "T054021",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:network_observability_1.11.2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Service Mesh 2.6",
                "product": {
                  "name": "Red Hat OpenShift Service Mesh 2.6",
                  "product_id": "T054544",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:service_mesh_2.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Dev Spaces \u003c3.28.0",
                "product": {
                  "name": "Red Hat OpenShift Dev Spaces \u003c3.28.0",
                  "product_id": "T054838"
                }
              },
              {
                "category": "product_version",
                "name": "Dev Spaces 3.28.0",
                "product": {
                  "name": "Red Hat OpenShift Dev Spaces 3.28.0",
                  "product_id": "T054838-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift:dev_spaces__3.28.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OpenShift"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-42033",
      "product_status": {
        "known_affected": [
          "T053980",
          "T054693",
          "T054021",
          "67646",
          "T049494",
          "T054657",
          "T054028",
          "T054544",
          "T053981",
          "T054025",
          "T054709",
          "T054838",
          "T053978",
          "T053979"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-42033"
    },
    {
      "cve": "CVE-2026-42035",
      "product_status": {
        "known_affected": [
          "T053980",
          "T054693",
          "T054021",
          "67646",
          "T049494",
          "T054657",
          "T054028",
          "T054544",
          "T053981",
          "T054025",
          "T054709",
          "T054838",
          "T053978",
          "T053979"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-42035"
    },
    {
      "cve": "CVE-2026-42039",
      "product_status": {
        "known_affected": [
          "T053980",
          "T054693",
          "T054021",
          "67646",
          "T049494",
          "T054657",
          "T054028",
          "T054544",
          "T053981",
          "T054025",
          "T054709",
          "T054838",
          "T053978",
          "T053979"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-42039"
    },
    {
      "cve": "CVE-2026-42041",
      "product_status": {
        "known_affected": [
          "T053980",
          "T054693",
          "T054021",
          "67646",
          "T049494",
          "T054657",
          "T054028",
          "T054544",
          "T053981",
          "T054025",
          "T054709",
          "T054838",
          "T053978",
          "T053979"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-42041"
    },
    {
      "cve": "CVE-2026-42043",
      "product_status": {
        "known_affected": [
          "T053980",
          "T054693",
          "T054021",
          "67646",
          "T049494",
          "T054657",
          "T054028",
          "T054544",
          "T053981",
          "T054025",
          "T054709",
          "T054838",
          "T053978",
          "T053979"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-42043"
    },
    {
      "cve": "CVE-2026-42044",
      "product_status": {
        "known_affected": [
          "T053980",
          "T054693",
          "T054021",
          "67646",
          "T049494",
          "T054657",
          "T054028",
          "T054544",
          "T053981",
          "T054025",
          "T054709",
          "T054838",
          "T053978",
          "T053979"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-42044"
    },
    {
      "cve": "CVE-2026-32280",
      "product_status": {
        "known_affected": [
          "T053980",
          "T054693",
          "T054021",
          "67646",
          "T049494",
          "T054657",
          "T054028",
          "T054544",
          "T053981",
          "T054025",
          "T054709",
          "T054838",
          "T053978",
          "T053979"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-32280"
    },
    {
      "cve": "CVE-2026-40895",
      "product_status": {
        "known_affected": [
          "T053980",
          "T054693",
          "T054021",
          "67646",
          "T049494",
          "T054657",
          "T054028",
          "T054544",
          "T053981",
          "T054025",
          "T054709",
          "T054838",
          "T053978",
          "T053979"
        ]
      },
      "release_date": "2026-05-12T22:00:00.000+00:00",
      "title": "CVE-2026-40895"
    }
  ]
}

CVE-2026-32280 (GCVE-0-2026-32280)

Vulnerability from cvelistv5 – Published: 2026-04-08 01:06 – Updated: 2026-04-08 17:46

Title

Unexpected work during chain building in crypto/x509

Summary

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

References

4 references

URL	Tags
https://go.dev/cl/758320
https://go.dev/issue/78282
https://groups.google.com/g/golang-announce/c/0uY…
https://pkg.go.dev/vuln/GO-2026-4947

Impacted products

1 product

Vendor	Product	Version
Go standard library	crypto/x509	Affected: 0 , < 1.25.9 (semver) Affected: 1.26.0-0 , < 1.26.2 (semver)

Credits

Jakub Ciolek - https://ciolek.dev

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32280",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T17:46:14.569488Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T17:46:47.347Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "crypto/x509",
          "product": "crypto/x509",
          "programRoutines": [
            {
              "name": "Certificate.buildChains"
            },
            {
              "name": "Certificate.Verify"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.25.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.26.2",
              "status": "affected",
              "version": "1.26.0-0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Jakub Ciolek - https://ciolek.dev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T01:06:58.595Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/758320"
        },
        {
          "url": "https://go.dev/issue/78282"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2026-4947"
        }
      ],
      "title": "Unexpected work during chain building in crypto/x509"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2026-32280",
    "datePublished": "2026-04-08T01:06:58.595Z",
    "dateReserved": "2026-03-11T16:38:46.555Z",
    "dateUpdated": "2026-04-08T17:46:47.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40895 (GCVE-0-2026-40895)

Vulnerability from cvelistv5 – Published: 2026-04-21 19:59 – Updated: 2026-04-22 13:31

Title

follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets

Summary

follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/follow-redirects/follow-redire…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
follow-redirects	follow-redirects	Affected: < 1.16.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40895",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T13:31:13.035788Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T13:31:34.652Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "follow-redirects",
          "vendor": "follow-redirects",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.16.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "follow-redirects is an open source, drop-in replacement for Node\u0027s `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T19:59:59.759Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"
        }
      ],
      "source": {
        "advisory": "GHSA-r4q5-vmmm-2653",
        "discovery": "UNKNOWN"
      },
      "title": "follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40895",
    "datePublished": "2026-04-21T19:59:59.759Z",
    "dateReserved": "2026-04-15T16:37:22.766Z",
    "dateUpdated": "2026-04-22T13:31:34.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42033 (GCVE-0-2026-42033)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:36 – Updated: 2026-04-25 03:55

Title

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42033",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-25T03:55:57.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, when Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining access to request credentials, headers, and body. The precondition is prototype pollution from a separate source in the same process. This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:36:44.132Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pf86-5x62-jrwf"
        }
      ],
      "source": {
        "advisory": "GHSA-pf86-5x62-jrwf",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42033",
    "datePublished": "2026-04-24T17:36:44.132Z",
    "dateReserved": "2026-04-23T16:05:01.708Z",
    "dateUpdated": "2026-04-25T03:55:57.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42035 (GCVE-0-2026-42035)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:38 – Updated: 2026-04-25 03:55

Title

Axios: Header Injection via Prototype Pollution

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself — any prototype pollution primitive in any dependency in the application's dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42035",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-25T03:55:59.169Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, a prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders, append, pipe, on, once, and Symbol.toStringTag, Axios misidentifies any plain object payload as a FormData instance and calls the attacker-controlled getHeaders() function, merging the returned headers into the outgoing request. The vulnerable code resides exclusively in lib/adapters/http.js. The prototype pollution source does not need to originate from Axios itself \u2014 any prototype pollution primitive in any dependency in the application\u0027s dependency tree is sufficient to trigger this gadget. This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-113",
              "description": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:38:07.752Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-6chq-wfr3-2hj9"
        }
      ],
      "source": {
        "advisory": "GHSA-6chq-wfr3-2hj9",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Header Injection via Prototype Pollution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42035",
    "datePublished": "2026-04-24T17:38:07.752Z",
    "dateReserved": "2026-04-23T16:05:01.708Z",
    "dateUpdated": "2026-04-25T03:55:59.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42039 (GCVE-0-2026-42039)

Vulnerability from cvelistv5 – Published: 2026-04-24 18:01 – Updated: 2026-04-24 18:14

Title

Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-674 - Uncontrolled Recursion

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42039",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T18:14:11.509943Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T18:14:37.802Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T18:01:30.775Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-62hf-57xw-28j9"
        }
      ],
      "source": {
        "advisory": "GHSA-62hf-57xw-28j9",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42039",
    "datePublished": "2026-04-24T18:01:30.775Z",
    "dateReserved": "2026-04-23T16:05:01.709Z",
    "dateUpdated": "2026-04-24T18:14:37.802Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42041 (GCVE-0-2026-42041)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:55 – Updated: 2026-04-24 18:32

Title

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript's in operator — an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () => true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-287 - Improper Authentication
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42041",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T18:29:47.107016Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T18:32:58.115Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses (401, 403, 500, etc.), causing them to be treated as successful responses. This completely bypasses application-level authentication and error handling. The root cause is that validateStatus is the only config property using the mergeDirectKeys merge strategy, which uses JavaScript\u0027s in operator \u2014 an operator that inherently traverses the prototype chain. When Object.prototype.validateStatus is polluted with () =\u003e true, all HTTP status codes are accepted as success. This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:55:30.036Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-w9j2-pvgh-6h63"
        }
      ],
      "source": {
        "advisory": "GHSA-w9j2-pvgh-6h63",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42041",
    "datePublished": "2026-04-24T17:55:30.036Z",
    "dateReserved": "2026-04-23T16:05:01.709Z",
    "dateUpdated": "2026-04-24T18:32:58.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42043 (GCVE-0-2026-42043)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:54 – Updated: 2026-04-27 13:47

Title

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.

Severity

7.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-183 - Permissive List of Allowed Inputs
CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.1 Affected: < 0.31.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42043",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-27T13:47:20.443878Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-27T13:47:24.724Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.1"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-183",
              "description": "CWE-183: Permissive List of Allowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:54:42.668Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-pmwg-cvhr-8vh7"
        }
      ],
      "source": {
        "advisory": "GHSA-pmwg-cvhr-8vh7",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Incomplete Fix for CVE-2025-62718 \u2014 NO_PROXY  Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8)  in Axios 1.15.0"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42043",
    "datePublished": "2026-04-24T17:54:42.668Z",
    "dateReserved": "2026-04-23T16:05:01.709Z",
    "dateUpdated": "2026-04-27T13:47:24.724Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42044 (GCVE-0-2026-42044)

Vulnerability from cvelistv5 – Published: 2026-04-24 17:49 – Updated: 2026-04-24 18:12

Title

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Summary

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible modification of all JSON API responses — including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42044",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-24T18:11:49.647774Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-24T18:12:13.920Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution \"Gadget\" attack that allows any Object.prototype pollution in the application\u0027s dependency tree to be escalated into surgical, invisible modification of all JSON API responses \u2014 including privilege escalation, balance manipulation, and authorization bypass. The default transformResponse function at lib/defaults/index.js:124 calls JSON.parse(data, this.parseReviver), where this is the merged config object. Because parseReviver is not present in Axios defaults, not validated by assertOptions, and not subject to any constraints, a polluted Object.prototype.parseReviver function is called for every key-value pair in every JSON response, allowing the attacker to selectively modify individual values while leaving the rest of the response intact. This vulnerability is fixed in 1.15.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-915",
              "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-24T17:50:26.586Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3w6x-2g7m-8v23"
        }
      ],
      "source": {
        "advisory": "GHSA-3w6x-2g7m-8v23",
        "discovery": "UNKNOWN"
      },
      "title": "Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42044",
    "datePublished": "2026-04-24T17:49:49.517Z",
    "dateReserved": "2026-04-23T16:05:01.709Z",
    "dateUpdated": "2026-04-24T18:12:13.920Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1513

CVE-2026-32280 (GCVE-0-2026-32280)

CVE-2026-40895 (GCVE-0-2026-40895)

CVE-2026-42033 (GCVE-0-2026-42033)

CVE-2026-42035 (GCVE-0-2026-42035)

CVE-2026-42039 (GCVE-0-2026-42039)

CVE-2026-42041 (GCVE-0-2026-42041)

CVE-2026-42043 (GCVE-0-2026-42043)

CVE-2026-42044 (GCVE-0-2026-42044)

Tags

Sightings

Nomenclature