CVE-2026-44494
HIGH 8.7Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.
Severe if exploited (CVSS 8.7), but no known exploitation and low modeled probability. Patch on a normal cadence.
Exploitation likelihood
1.0%chance of exploitation in 30 days · 60th percentile
Impact if exploited
8.7CVSS 3.1 · HIGH
- ConfidentialityHigh
- IntegrityHigh
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ✓Privileges: No account or privileges required
- ✓User interaction: No user interaction needed
- ⚠Complexity: Needs a race window or specific setup
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Products Axios Red Hat Advanced Cluster Management For Kubernetes 2.13 Red Hat Advanced Cluster Security For Kubernetes 4.10 Red Hat Container Native Virtualization 4.14 Red Hat Developer Hub 1.9 Red Hat Discovery 2 Red Hat Openshift Container Platform 4.16 Red Hat Openshift Container Platform 4.20
Weakness (CWE)
- CWE-441
- CWE-1321
- CWE-915
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
References
Advisories
- https://access.redhat.com/errata/RHSA-2026:30651
- https://access.redhat.com/errata/RHSA-2026:20889
- https://access.redhat.com/errata/RHSA-2026:33005
- https://access.redhat.com/errata/RHSA-2026:33574
- https://access.redhat.com/errata/RHSA-2026:26234
- https://access.redhat.com/errata/RHSA-2026:29197
- https://access.redhat.com/errata/RHSA-2026:29082
- https://access.redhat.com/errata/RHSA-2026:29800