← All CVEs

CVE-2026-44494

HIGH 8.7

Published 2026-06-11 · Last modified 2026-07-01

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0.

ELEVATED IMPACT

Severe if exploited (CVSS 8.7), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

1.0%chance of exploitation in 30 days · 60th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

8.7CVSS 3.1 · HIGH

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityNone

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: Needs a race window or specific setup

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Axios Red Hat

Products Axios Red Hat Advanced Cluster Management For Kubernetes 2.13 Red Hat Advanced Cluster Security For Kubernetes 4.10 Red Hat Container Native Virtualization 4.14 Red Hat Developer Hub 1.9 Red Hat Discovery 2 Red Hat Openshift Container Platform 4.16 Red Hat Openshift Container Platform 4.20

Weakness (CWE)

  • CWE-441
  • CWE-1321
  • CWE-915

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Sources: NVD · CVE.org · EPSS