安全情报

CVE-2026-44503 - Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on c

AiRedTeam

09 May 2026 • 阅读时间 1 分钟

📡 GitHub-Advisory · 2026-05-07

CVE-2026-44503 - Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on c

CVE-2026-44503

GHSA-7j59-v9qr-6fq9 HIGH maven/com.microsoft.kiota:microsoft-kiota-abstractions

CVE: CVE-2026-44503

Summary

The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme.

This vulnerability is present in the RedirectHandlers for:

https://github.com/microsoft/kiota-dotnet

https://github.com/microsoft/kiota-java

https://github.com/microsoft/kiota-python

https://github.com/microsoft/kiota-typescript

https://github.com/microsoft/kiota-http-go

Details

Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.

This is the default middleware in every kiota-java HTTP client created via KiotaClientFactory.create(). OkHttp's built-in redirect handler (which handles this correctly) is explicitly disabled at line 63 of KiotaClientFactory.java in favor of kiota's broken implementation.

Vulnerable code in RedirectHandler.java lines 107-116 (getRedirect method) in versions 1.90 and earlier:

boolean sameScheme = locationUrl.scheme().equalsIgnoreCase(requestUrl.scheme());
boolean sameHost = locationUrl.host().toString().equalsIgnoreCase(requestUrl.host().toString());
if (!sameScheme || !sameHost) {
requestBuilder.removeHeader("Authorization");
// BUG: Cookie, Proxy-Authorization, and all other headers are NOT removed
}

PoC

1. Clone the repository:

git clone --depth 1 https://github.com/microsoft/kiota-java.git

cd kiota-java

2. Create the PoC test file at:

components/http/okHttp/src/test/java/com/microsoft/kiota/http/middleware/SecurityPoC.java

With this content:

package com.microsoft.kiota.http.middleware;
import static org.junit.jupiter.api.Assertions.*;
import com.microsoft.kiota.http.KiotaClientFactory;
import okhttp3.*;
import okhttp3.mockwebserver.*;
import org.junit.jupiter.api.Test;

public class SecurityPoC {
@Test
void crossHostRedirectLeaksCookies() throws Exception {
Request original = new Req

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44503 | 📅 2026-05-07