{"id":"PYSEC-2026-141","details":"urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.","aliases":["CVE-2026-44431","GHSA-qccp-gfcp-xxvc"],"modified":"2026-05-20T09:19:20.983812Z","published":"2026-05-13T16:16:57.150Z","references":[{"type":"ADVISORY","url":"https://github.com/urllib3/urllib3/security/advisories/GHSA-qccp-gfcp-xxvc"}],"affected":[{"package":{"name":"urllib3","ecosystem":"PyPI","purl":"pkg:pypi/urllib3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.23"},{"fixed":"2.7.0"}]}],"versions":["1.23","1.24","1.24.1","1.24.2","1.24.3","1.25","1.25.1","1.25.10","1.25.11","1.25.2","1.25.3","1.25.4","1.25.5","1.25.6","1.25.7","1.25.8","1.25.9","1.26.0","1.26.1","1.26.10","1.26.11","1.26.12","1.26.13","1.26.14","1.26.15","1.26.16","1.26.17","1.26.18","1.26.19","1.26.2","1.26.20","1.26.3","1.26.4","1.26.5","1.26.6","1.26.7","1.26.8","1.26.9","2.0.0","2.0.0a1","2.0.0a2","2.0.0a3","2.0.0a4","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.1.0","2.2.0","2.2.1","2.2.2","2.2.3","2.3.0","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.6.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/urllib3/PYSEC-2026-141.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}