CVE-2026-44431: urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via…

high8.2CVSS 4.0

AVNACHATPPRNUINVCHVINVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

Affected

139 ranges· showing 25

Vendor	Product	Version range	Fixed in
ansible-automation-platform-24	lightspeed-rhel8	—	—
ansible-automation-platform-25	ee-supported-rhel8	—	—
ansible-automation-platform-25	lightspeed-chatbot-rhel8	—	—
ansible-automation-platform-25	lightspeed-rhel8	—	—
ansible-automation-platform-26	controller-rhel9	—	—
ansible-automation-platform-26	controller-rhel9-operator	—	—
ansible-automation-platform-26	de-minimal-rhel9	—	—
ansible-automation-platform-26	de-supported-rhel9	—	—
ansible-automation-platform-26	eda-controller-rhel9	—	—
ansible-automation-platform-26	eda-controller-rhel9-operator	—	—
ansible-automation-platform-26	ee-minimal-rhel9	—	—
ansible-automation-platform-26	ee-supported-rhel9	—	—
ansible-automation-platform-26	gateway-rhel9	—	—
ansible-automation-platform-26	gateway-rhel9-operator	—	—
ansible-automation-platform-26	hub-rhel9	—	—
ansible-automation-platform-26	hub-rhel9-operator	—	—
ansible-automation-platform-26	lightspeed-chatbot-rhel9	—	—
ansible-automation-platform-26	lightspeed-rhel9	—	—
ansible-automation-platform-26	lightspeed-rhel9-operator	—	—
ansible-automation-platform-26	platform-resource-rhel9-operator	—	—
ansible-automation-platform-26	platform-resource-runner-rhel9	—	—
ansible-automation-platform-tech-preview	metrics-service-rhel9	—	—
ansible-automation-platform-tech-preview	metrics-service-rhel9-operator	—	—
ansible-automation-platform	automation-dashboard-rhel9	—	—
aquasecurity	trivy	—	—