CVE-2026-44431

NameCVE-2026-44431
Descriptionurllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1136653

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-urllib3 (PTS)bullseye1.26.5-1~exp1vulnerable
bullseye (security)1.26.5-1~exp1+deb11u3vulnerable
bookworm1.26.12-1+deb12u1vulnerable
bookworm (security)1.26.12-1+deb12u3vulnerable
trixie (security), trixie2.3.0-3+deb13u1vulnerable
forky, sid2.6.3-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-urllib3source(unstable)(unfixed)1136653

Notes

https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc
Search for package or bug name: Reporting problems