## urllib3 CVE-2026-44431: Low-Level API Flaw Allows Sensitive Header Leakage Across Origins
A critical vulnerability in urllib3 versions prior to 2.7.0 enables unauthorized exfiltration of sensitive authentication headers during cross-origin redirects. The flaw specifically targets the low-level `ProxyManager.connection_from_url().urlopen(..., assert_same_host=False)` API pathway, which unlike its high-level counterpart `PoolManager.request()`, fails to strip credentials such as Authorization, Cookie, and Proxy-Authorization tokens when redirecting across origins. Security researchers have assigned the flaw a CVSS v4.0 score of 8.2, classifying it as HIGH severity.

The vulnerability stems from a path-specific implementation gap within urllib3's architecture. While the high-level `PoolManager.request()` interface properly sanitizes sensitive headers upon detecting cross-origin redirects, the lower-level `ProxyManager` API bypasses this protection mechanism entirely. An attacker capable of controlling or observing a redirecting proxy can exploit this oversight to capture authentication tokens intended for the original destination, potentially gaining unauthorized access to protected resources on unintended domains. The CVSS vector confirms network-based exploitation (AV:N) with high attack complexity (AC:H), indicating the attacker must manipulate redirect behavior rather than directly intercept traffic.

The issue carries particular weight for deployments relying on conda-managed environments, as urllib3 version 2.6.3 ships within base images via this package manager. Organizations using the affected low-level API in proxy configurations or custom HTTP client implementations face elevated exposure. The maintainers recommend upgrading to urllib3 2.7.0 or later to remediate the vulnerability. Given the specificity of the attack surface—requiring both cross-origin redirects and exploitation of the low-level API path—risk prioritization should focus on applications and services where user-controlled redirect targets are processed through `assert_same_host=False` configurations.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-44431, urllib3, header leakage, cross-origin redirect, CVSS 8.2
- **Credibility**: unverified
- **Published**: 2026-05-12 17:48:30
- **ID**: 82303
- **URL**: https://whisperx.ai/en/intel/82303