CVE-2026-44503

Summary

The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.

Affected Software

VendorProductVersion RangeStatus
microsoftkiota-java< 1.9.1affected
microsoftMicrosoft.Kiota.Abstractions< 1.22.0affected
microsoftgithub.com/microsoft/kiota-http-go< 1.5.5affected
microsoftkiota-typescript< 1.0.0-preview.100affected
microsoftmicrosoft-kiota-abstractions< 1.9.1affected
microsoftmicrosoft-kiota-http< 1.9.9affected

Weaknesses

  • CWE-601: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References