{"id":"CVE-2026-40895","summary":"follow-redirects: Custom Authentication Headers Leaked to Cross-Domain Redirect Targets","details":"follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.","aliases":["GHSA-r4q5-vmmm-2653"],"modified":"2026-07-10T04:03:02.730016593Z","published":"2026-04-21T19:59:59.759Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-200"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40895.json"},"references":[{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40895.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:13826"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:14937"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:16476"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:16532"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:16534"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:16535"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:16542"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:16874"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17657"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17699"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:17789"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19109"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19375"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:19712"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20889"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:20938"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:21017"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:21338"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:21772"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22465"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22629"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22840"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:23361"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24536"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24539"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24766"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24853"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:24977"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25271"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25273"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:26010"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27004"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27044"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:27063"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:36882"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-40895"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40895.json"},{"type":"ADVISORY","url":"https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40895"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460297"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/follow-redirects/follow-redirects","events":[{"introduced":"0"},{"fixed":"0c23a223067201c368035e82954c11eb2578a33b"}],"database_specific":{"cpe":"cpe:2.3:a:follow-redirects_project:follow-redirects:*:*:*:*:*:node.js:*:*","source":["AFFECTED_FIELD","CPE_RANGE"],"extracted_events":[{"introduced":"0"},{"fixed":"1.16.0"}]}}],"versions":["v1.15.11","v1.15.10","v1.15.9","v1.15.8","v1.15.7","v1.15.6","v1.15.5","v1.15.4","v1.15.3","v1.15.2","v1.15.1","v1.15.0","v1.14.9","v1.14.8","v1.14.7","v1.14.6","v1.14.5","v1.14.4","v1.14.3","v1.14.2","v1.14.1","v1.14.0","v1.13.3","v1.13.2","v1.13.1","v1.13.0","v1.12.1","v1.12.0","v1.11.0","v1.10.0","v1.9.1","v1.9.0","v1.8.1","v1.8.0","v1.7.0","v1.6.1","v1.6.0","v1.5.10","v1.5.9","v1.5.8","v1.5.7","v1.5.6","v1.5.5","v1.5.4","v1.5.3","v1.5.2","v1.5.1","v1.5.0","v1.4.1","v1.4.0","v1.3.0","v1.2.6","v1.2.5","v1.2.4","v1.2.3","v1.2.2","v1.2.1","v1.2.0","v1.1.0","v1.0.0","v0.3.0","v0.2.0","v0.1.0","v0.0.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40895.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}]}