Aug 4-6 · Las VegasCantina is at Black Hat USA · Booth 5200, AI ZoneBook a meeting
exposure-of-sensitive-information-to-an-unauthorized-actor

CVE-2026-44431

urllib3

Medium

CVSS Details

CVSS Score
5.3 MEDIUM
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Description

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward sensitive headers. This vulnerability is fixed in 2.7.0.

Disclosure Date

Public Disclosure
May 13, 2026