Python Packaging Index (PyPI)

Sensitive headers (`Authorization`, `Cookie`, and `Proxy-Authorization`) are forwarded across origins in proxied low-level redirects when using `HTTPConnection.urlopen()` instances created via `ProxyManager.connection_from_url()` in urllib3 versions before 2.7.0, potentially exposing credentials to unintended third parties; upgrade to version 2.7.0 or later to remediate this issue.

Urllib3 versions before 2.7.0 are vulnerable to excessive resource consumption when using the streaming API to decompress responses, particularly when using the Brotli library or calling HTTPResponse.drain_conn() after partial decompression, leading to high CPU usage and memory allocation, potentially causing a denial-of-service condition (CVE-2026-44432).