CVE-2026-49336
Deferred Deferred - Pending Action

Information Disclosure in Microsoft Kiota HTTP Fetch Library

Vulnerability report for CVE-2026-49336, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross-origin redirect targets, but the default `scrubSensitiveHeaders` callback in `RedirectHandlerOptions` uses case-sensitive property deletion (`delete headers.Authorization`, `delete headers.Cookie`) on a headers object that `FetchRequestAdapter.getRequestFromRequestInformation` has already lower-cased. The delete therefore targets keys that do not exist, the scrub is a no-op, and any Bearer token or Cookie attached by a kiota-generated SDK is forwarded to an attacker-controlled host across a 30x redirect. This is reachable in the default middleware chain (`MiddlewareFactory.getDefaultMiddlewares`) with no custom configuration, and applies to every kiota-generated TypeScript SDK that uses `BaseBearerTokenAuthenticationProvider` or any other authentication provider that sets the `Authorization` request header. Version 1.0.0-preview.102 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-11
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
microsoft kiota-http-fetchlibrary From 1.0.0-preview.97 (inc) to 1.0.0-preview.101 (inc)
microsoft kiota-http-fetchlibrary 1.0.0-preview.102

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the @microsoft/kiota-http-fetchlibrary package versions 1.0.0-preview.97 through 1.0.0-preview.101. The RedirectHandler is intended to strip Authorization and Cookie headers from cross-origin redirect targets to prevent sensitive data leakage. However, the default scrubSensitiveHeaders callback deletes these headers using case-sensitive keys on a headers object that has already been lower-cased. As a result, the deletion does not occur, and sensitive headers like Bearer tokens or Cookies are forwarded to attacker-controlled hosts during 30x redirects.

This issue affects every kiota-generated TypeScript SDK that uses BaseBearerTokenAuthenticationProvider or any authentication provider setting the Authorization header. The vulnerability can be exploited by an attacker controlling a redirect target, causing leakage of sensitive authentication data.

The fix, introduced in version 1.0.0-preview.102, modifies the scrubSensitiveHeaders function to remove sensitive headers case-insensitively by iterating over all header keys and deleting those matching Authorization, Cookie, or Proxy-Authorization regardless of case.

Impact Analysis

This vulnerability can lead to the unintended leakage of sensitive authentication information such as Bearer tokens and session Cookies to attacker-controlled hosts during HTTP redirects.

An attacker who controls a redirect target or can influence redirect URLs can exploit this flaw to capture authentication credentials, potentially gaining unauthorized access to user accounts or sensitive data.

Because the issue occurs in the default middleware chain without any custom configuration, all applications using affected versions of the kiota-generated TypeScript SDKs with authentication headers are at risk.

Detection Guidance

Detection of this vulnerability involves monitoring HTTP requests and redirects to identify if Authorization or Cookie headers are being forwarded to cross-origin redirect targets.

You can inspect network traffic or logs for 30x HTTP redirects where sensitive headers like Authorization or Cookie are present in requests to different origins.

Commands to help detect this include using tools like curl or tcpdump to capture and analyze HTTP headers during redirects.

  • Using curl with verbose output to follow redirects and show headers: curl -v -L <URL>
  • Using tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443'
  • Using browser developer tools to monitor network requests and check if Authorization or Cookie headers are sent to unexpected domains during redirects.
Mitigation Strategies

The immediate mitigation step is to upgrade the @microsoft/kiota-http-fetchlibrary package to version 1.0.0-preview.102 or later, where the vulnerability is patched.

The patch modifies the header scrubbing logic to case-insensitively remove Authorization, Cookie, and Proxy-Authorization headers on cross-origin redirects, preventing sensitive data leakage.

If upgrading immediately is not possible, consider implementing custom middleware or configuration to ensure sensitive headers are properly removed during redirects.

Additionally, review and restrict redirect targets to trusted domains to reduce the risk of leaking tokens or cookies to attacker-controlled hosts.

Compliance Impact

This vulnerability causes Bearer tokens and session cookies to be leaked to attacker-controlled hosts during cross-origin HTTP redirects due to improper case-sensitive header removal.

Such leakage of sensitive authentication information can lead to unauthorized access to user data or sessions, which may result in violations of data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information.

Therefore, this vulnerability can negatively impact compliance with these standards by exposing sensitive authentication credentials to unauthorized parties.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart