CVE-2026-40895
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect (301/302/307/308), follow-redirects only strips authorization, proxy-authorization, and cookie headers (matched by regex at index.js). Any custom authentication header (e.g., X-API-Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the redirect target. This vulnerability is fixed in 1.16.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| follow-redirects | follow-redirects | < 1.16.0 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
follow-redirects: follow-redirects: Information disclosure via cross-domain redirects
Additional References
- https://access.redhat.com/security/cve/CVE-2026-40895
- https://bugzilla.redhat.com/show_bug.cgi?id=2460297
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40895.json
- https://access.redhat.com/errata/RHSA-2026:17789
- https://access.redhat.com/errata/RHSA-2026:26010
- https://access.redhat.com/errata/RHSA-2026:16874
- https://access.redhat.com/errata/RHSA-2026:24539
- https://access.redhat.com/errata/RHSA-2026:25273
- https://access.redhat.com/errata/RHSA-2026:20889
- https://access.redhat.com/errata/RHSA-2026:20938
- https://access.redhat.com/errata/RHSA-2026:24766
- https://access.redhat.com/errata/RHSA-2026:21338
- https://access.redhat.com/errata/RHSA-2026:13826
- https://access.redhat.com/errata/RHSA-2026:14937
- https://access.redhat.com/errata/RHSA-2026:24977
- https://access.redhat.com/errata/RHSA-2026:19712
- https://access.redhat.com/errata/RHSA-2026:27004
- https://access.redhat.com/errata/RHSA-2026:27063
- https://access.redhat.com/errata/RHSA-2026:27044
- https://access.redhat.com/errata/RHSA-2026:21772
- https://access.redhat.com/errata/RHSA-2026:16476
- https://access.redhat.com/errata/RHSA-2026:16534
- https://access.redhat.com/errata/RHSA-2026:16532
- https://access.redhat.com/errata/RHSA-2026:16535
- https://access.redhat.com/errata/RHSA-2026:16542
- https://access.redhat.com/errata/RHSA-2026:22840
- https://access.redhat.com/errata/RHSA-2026:22629
- https://access.redhat.com/errata/RHSA-2026:21017
- https://access.redhat.com/errata/RHSA-2026:24853
- https://access.redhat.com/errata/RHSA-2026:19375
- https://access.redhat.com/errata/RHSA-2026:22465
- https://access.redhat.com/errata/RHSA-2026:23361
- https://access.redhat.com/errata/RHSA-2026:24536
- https://access.redhat.com/errata/RHSA-2026:25271
- https://access.redhat.com/errata/RHSA-2026:17657
- https://access.redhat.com/errata/RHSA-2026:17699
- https://access.redhat.com/errata/RHSA-2026:19109
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.