CVE-2026-44431: urllib3: Sensitive headers forwarded across origins in proxied low-level redirects

May 11, 2026

When following cross-origin redirects for requests made using urllib3’s high-level APIs, such as urllib3.request(), PoolManager.request(), and ProxyManager.request(), sensitive headers — Authorization, Cookie, and Proxy-Authorization (defined in Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT) — are stripped by default, as expected.

However, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers.

References

github.com/advisories/GHSA-qccp-gfcp-xxvc
github.com/urllib3/urllib3
github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc
nvd.nist.gov/vuln/detail/CVE-2026-44431

Code Behaviors & Features

Detect and mitigate CVE-2026-44431 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →