CVE Vulnerabilities

CVE-2026-44494

Unintended Proxy or Intermediary ('Confused Deputy')

Published: Jun 11, 2026 | Modified: Jul 02, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
8.7 IMPORTANT
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution Gadget attack that allows any Object.prototype pollution in the applications dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack — intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attackers proxy server. This vulnerability is fixed in 1.16.0.

Weakness

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product’s control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Affected Software

NameVendorStart VersionEnd Version
AxiosAxios1.0.0 (including)1.16.0 (excluding)
Multicluster engine for Kubernetes 2.8RedHatmulticluster-engine/console-mce-rhel9:1782157085*
Red Hat Advanced Cluster Management for Kubernetes 2.13RedHatrhacm2/console-rhel9:1782157514*
Red Hat Advanced Cluster Security for Kubernetes 4.10RedHatadvanced-cluster-security/rhacs-main-rhel8:1779293013*
Red Hat Advanced Cluster Security for Kubernetes 4.9RedHatadvanced-cluster-security/rhacs-main-rhel8:1779371594*
Red Hat Container Native Virtualization 4.14RedHatcontainer-native-virtualization/kubevirt-console-plugin-rhel9:1782356760*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-hub-rhel9:1781187342*
Red Hat Developer Hub 1.9RedHatrhdh/rhdh-hub-rhel9:1782761244*
Red Hat Discovery 2RedHatdiscovery/discovery-ui-rhel9:1782166952*
Red Hat OpenShift Container Platform 4.15RedHatopenshift4/ose-console:1782127091*
Red Hat OpenShift Container Platform 4.16RedHatopenshift4/ose-console-rhel9:1782244020*
Red Hat OpenShift Container Platform 4.16RedHatopenshift4/ose-monitoring-plugin-rhel9:1782243791*
Red Hat OpenShift Container Platform 4.19RedHatopenshift4/ose-monitoring-plugin-rhel9:1782171032*
Red Hat OpenShift Container Platform 4.20RedHatopenshift4/ose-monitoring-plugin-rhel9:1782313844*
Red Hat OpenShift Container Platform 4.21RedHatopenshift4/ose-monitoring-plugin-rhel9:1781731914*
Red Hat OpenShift Service Mesh 2.6RedHatopenshift-service-mesh/kiali-ossmc-rhel8:1781937133*
Red Hat OpenShift Service Mesh 2.6RedHatopenshift-service-mesh/kiali-rhel8:1782287580*
Red Hat OpenShift Service Mesh 3.0RedHatopenshift-service-mesh/kiali-ossmc-rhel9:1782201894*
Red Hat OpenShift Service Mesh 3.0RedHatopenshift-service-mesh/kiali-rhel9:1782201833*
Red Hat OpenShift Service Mesh 3.1RedHatopenshift-service-mesh/kiali-ossmc-rhel9:1782201696*
Red Hat OpenShift Service Mesh 3.1RedHatopenshift-service-mesh/kiali-rhel9:1782201537*
Red Hat OpenShift Service Mesh 3.2RedHatopenshift-service-mesh/kiali-ossmc-rhel9:1782201851*
Red Hat OpenShift Service Mesh 3.2RedHatopenshift-service-mesh/kiali-rhel9:1782201812*
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/kiali-ossmc-rhel9:1782231869*
Red Hat OpenShift Service Mesh 3.3RedHatopenshift-service-mesh/kiali-rhel9:1782201466*
Red Hat Satellite 6.19RedHatsatellite/iop-vulnerability-frontend-rhel9:1781174698*
Red Hat Satellite 6.19RedHatsatellite/iop-host-inventory-frontend-rhel9:1782253070*
Red Hat Satellite 6.19RedHatsatellite/iop-advisor-frontend-rhel9:1782243376*
Node-axiosUbuntuupstream*

Extended Description

If an attacker cannot directly contact a target, but the product has access to the target, then the attacker can send a request to the product and have it be forwarded to the target. The request would appear to be coming from the product’s system, not the attacker’s system. As a result, the attacker can bypass access controls (such as firewalls) or hide the source of malicious requests, since the requests would not be coming directly from the attacker. Since proxy functionality and message-forwarding often serve a legitimate purpose, this issue only becomes a vulnerability when:

Potential Mitigations

References