{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/header-leak/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["urllib3 (\u003c 2.7.0)"],"_cs_severities":["high"],"_cs_tags":["urllib3","header-leak","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Python Packaging Index (PyPI)"],"content_html":"\u003cp\u003eThe urllib3 library, a popular Python HTTP client, is vulnerable to sensitive header leakage (CVE-2026-44431) when handling cross-origin redirects in its low-level API. Specifically, when applications use \u003ccode\u003eHTTPConnection.urlopen()\u003c/code\u003e instances created via \u003ccode\u003eProxyManager.connection_from_url()\u003c/code\u003e and allow cross-origin redirects, sensitive headers like \u003ccode\u003eAuthorization\u003c/code\u003e, \u003ccode\u003eCookie\u003c/code\u003e, and \u003ccode\u003eProxy-Authorization\u003c/code\u003e are inadvertently forwarded to the redirect destination. This behavior can expose sensitive credentials to unintended third-party servers. This vulnerability affects urllib3 versions before 2.7.0. Defenders should prioritize upgrading urllib3 to version 2.7.0 or later to mitigate this risk and ensure proper handling of sensitive headers during redirects. If immediate upgrade is not feasible, applications should avoid using the vulnerable low-level redirect flow for cross-origin redirects and consider switching to \u003ccode\u003eProxyManager.request()\u003c/code\u003e instead.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker controls a malicious website or compromises an existing one.\u003c/li\u003e\n\u003cli\u003eA user\u0026rsquo;s application (using a vulnerable urllib3 version) initiates an HTTP request to a controlled domain.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server responds with an HTTP 302 redirect to a different, attacker-controlled origin.\u003c/li\u003e\n\u003cli\u003eThe application, using \u003ccode\u003eProxyManager.connection_from_url().urlopen(..., assert_same_host=False)\u003c/code\u003e, follows the redirect.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the application inappropriately forwards sensitive headers (Authorization, Cookie, Proxy-Authorization) along with the redirected request.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server receives the forwarded request containing the sensitive headers, potentially including authentication tokens or session IDs.\u003c/li\u003e\n\u003cli\u003eThe attacker captures and logs these sensitive headers.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to impersonate the user or gain unauthorized access to protected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-44431) can lead to the exposure of sensitive user credentials, including authentication tokens and session cookies. The impact ranges from account compromise to unauthorized access to sensitive data and resources. The number of potential victims depends on the adoption rate of vulnerable urllib3 versions and the frequency with which applications utilize the susceptible low-level redirect flow. Applications that handle authentication or authorization via HTTP headers are particularly at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to urllib3 version 2.7.0 or later to remediate the vulnerability (CVE-2026-44431), where sensitive headers are stripped from redirects followed by \u003ccode\u003eHTTPConnection\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, avoid using the low-level redirect flow (\u003ccode\u003eProxyManager.connection_from_url().urlopen(..., assert_same_host=False)\u003c/code\u003e) for cross-origin redirects.\u003c/li\u003e\n\u003cli\u003eConsider switching to \u003ccode\u003eProxyManager.request()\u003c/code\u003e if appropriate for your use case, as this high-level API strips sensitive headers during redirects by default.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect urllib3 Low-Level API Cross-Origin Redirect with Sensitive Headers\u0026rdquo; to detect potential exploitation attempts by monitoring for the vulnerable code pattern.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:53:59Z","date_published":"2026-05-11T14:53:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-urllib3-header-leak/","summary":"Sensitive headers (`Authorization`, `Cookie`, and `Proxy-Authorization`) are forwarded across origins in proxied low-level redirects when using `HTTPConnection.urlopen()` instances created via `ProxyManager.connection_from_url()` in urllib3 versions before 2.7.0, potentially exposing credentials to unintended third parties; upgrade to version 2.7.0 or later to remediate this issue.","title":"urllib3 Sensitive Header Leak in Low-Level Redirects (CVE-2026-44431)","url":"https://feed.craftedsignal.io/briefs/2026-05-urllib3-header-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Header-Leak","version":"https://jsonfeed.org/version/1.1"}