CVE-2026-44503: Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

May 7, 2026

The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme.

This vulnerability is present in the RedirectHandlers for:

https://github.com/microsoft/kiota-dotnet https://github.com/microsoft/kiota-java https://github.com/microsoft/kiota-python https://github.com/microsoft/kiota-typescript https://github.com/microsoft/kiota-http-go

References

github.com/advisories/GHSA-7j59-v9qr-6fq9
github.com/microsoft/kiota-java
github.com/microsoft/kiota-java/security/advisories/GHSA-7j59-v9qr-6fq9
nvd.nist.gov/vuln/detail/CVE-2026-44503

Code Behaviors & Features

Detect and mitigate CVE-2026-44503 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →