{"id":"GHSA-qccp-gfcp-xxvc","summary":"urllib3: Sensitive headers forwarded across origins in proxied low-level redirects","details":"### Impact\n\nWhen following cross-origin redirects for requests made using urllib3’s high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and `ProxyManager.request()`, sensitive headers — `Authorization`, `Cookie`, and `Proxy-Authorization` (defined in `Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT`) — are stripped by default, as expected.\n\nHowever, cross-origin redirects followed from the low-level API via `ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)` still forward these sensitive headers.\n\n### Affected usage\n\nApplications and libraries using urllib3 versions earlier than 2.7.0 may be affected if they allow cross-origin redirects while making requests through `HTTPConnection.urlopen()` instances created via `ProxyManager.connection_from_url()`.\n\n### Remediation\n\nUpgrade to urllib3 version 2.7.0 or later, in which sensitive headers are stripped from redirects followed by `HTTPConnection`.\n\nIf upgrading is not immediately possible, avoid using this low-level redirect flow for cross-origin redirects. If appropriate for your use case, switch to `ProxyManager.request()`.","aliases":["CVE-2026-44431"],"modified":"2026-05-11T15:03:47.965992Z","published":"2026-05-11T14:51:20Z","database_specific":{"nvd_published_at":null,"cwe_ids":["CWE-200"],"severity":"HIGH","github_reviewed":true,"github_reviewed_at":"2026-05-11T14:51:20Z"},"references":[{"type":"WEB","url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc"},{"type":"PACKAGE","url":"https://github.com/urllib3/urllib3"}],"affected":[{"package":{"name":"urllib3","ecosystem":"PyPI","purl":"pkg:pypi/urllib3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.23"},{"fixed":"2.7.0"}]}],"versions":["1.23","1.24","1.24.1","1.24.2","1.24.3","1.25","1.25.1","1.25.10","1.25.11","1.25.2","1.25.3","1.25.4","1.25.5","1.25.6","1.25.7","1.25.8","1.25.9","1.26.0","1.26.1","1.26.10","1.26.11","1.26.12","1.26.13","1.26.14","1.26.15","1.26.16","1.26.17","1.26.18","1.26.19","1.26.2","1.26.20","1.26.3","1.26.4","1.26.5","1.26.6","1.26.7","1.26.8","1.26.9","2.0.0","2.0.0a1","2.0.0a2","2.0.0a3","2.0.0a4","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.1.0","2.2.0","2.2.1","2.2.2","2.2.3","2.3.0","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.6.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qccp-gfcp-xxvc/GHSA-qccp-gfcp-xxvc.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}