CVE-2026-40895
Authorization Header Exposure in follow-redirects Before
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| follow-redirects_project | follow-redirects | to 1.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to the leakage of sensitive authentication credentials to unintended third-party domains during HTTP redirects. If an attacker controls or monitors the redirect target, they could capture custom authentication headers and potentially gain unauthorized access to protected resources or services. This increases the risk of data breaches and unauthorized actions performed on behalf of the user or application.
Can you explain this vulnerability to me?
The vulnerability exists in the follow-redirects library prior to version 1.16.0. When an HTTP request follows a cross-domain redirect (such as 301, 302, 307, or 308 status codes), the library only removes standard sensitive headers like authorization, proxy-authorization, and cookie headers. However, it fails to remove any custom authentication headers (for example, X-API-Key, X-Auth-Token, Api-Key, Token), which are forwarded unchanged to the redirect target. This could unintentionally expose sensitive authentication information to unintended domains.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the follow-redirects package to version 1.16.0 or later, where the issue is fixed.