CVE Catalog

CVE-2026-49336

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.65%

46th percentile — higher than 46% of all known CVEs

Summary

In versions 1.0.0-preview.97 through 1.0.0-preview.101, the @microsoft/kiota-http-fetchlibrary incorrectly handles `Authorization` and `Cookie` headers in cross-origin redirects. The default `scrubSensitiveHeaders` function does not remove these headers, allowing them to be forwarded to malicious hosts.

Risk Assessment

Organizations may be exposed to attacks where Bearer tokens or cookies are sent to attacker-controlled hosts, potentially leading to unauthorized access to resources.

Recommendation

It is recommended to update the @microsoft/kiota-http-fetchlibrary to version 1.0.0-preview.102 or later to patch this vulnerability.

Original NVD description (English source)

@microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross-origin redirect targets, but the default `scrubSensitiveHeaders` callback in `RedirectHandlerOptions` uses case-sensitive property deletion (`delete headers.Authorization`, `delete headers.Cookie`) on a headers object that `FetchRequestAdapter.getRequestFromRequestInformation` has already lower-cased. The delete therefore targets keys that do not exist, the scrub is a no-op, and any Bearer token or Cookie attached by a kiota-generated SDK is forwarded to an attacker-controlled host across a 30x redirect. This is reachable in the default middleware chain (`MiddlewareFactory.getDefaultMiddlewares`) with no custom configuration, and applies to every kiota-generated TypeScript SDK that uses `BaseBearerTokenAuthenticationProvider` or any other authentication provider that sets the `Authorization` request header. Version 1.0.0-preview.102 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS