Sensitive Cookie Theft Vulnerability Discovered in Kiota Libraries

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: High

[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44503 with a CVSS score of 7.0 is a vulnerability in the Kiota abstractions RedirectHandler that leaks sensitive Cookie and Proxy-Authorization headers during cross-host redirects, affecting multiple Kiota libraries including microsoft-kiota-abstractions, Microsoft.Kiota.Abstractions, microsoft-kiota-http, kiota-typescript, and github.com/microsoft/kiota-http-go. The issue occurs because the RedirectHandler middleware fails to strip sensitive HTTP headers when processing 3xx redirects to a different host or scheme. An attacker can exploit this flaw by sending a crafted redirect response to a victim’s Kiota client, requiring network access and the ability to intercept or manipulate HTTP traffic. Successful exploitation may allow attackers to steal session cookies and proxy authorization credentials, potentially resulting in unauthorized access, data breaches, and other security impacts.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

RECOMMENDATION:

We strongly recommend you update Kiota to below version: https://github.com/advisories/GHSA-7j59-v9qr-6fq9

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-7j59-v9qr-6fq9

[/emaillocker]

Recent Advisories

Fast JWT Vulnerabilities Enables Unauthenticated Access

May 7, 2026

Gotenberg Vulnerability Activates Webhook Outage Loops

May 7, 2026

SQL Injection Vulnerability in Daptin Fuzzy Search Processing

May 7, 2026

Netty Codec Vulnerabilities Set Protocol Desynchronization and Crashes

May 7, 2026

Sensitive Cookie Theft Vulnerability Discovered in Kiota Libraries

Recent Advisories

Report an Incident