Kiota HTTP Libraries, Automatic Redirect Header Leak, CVE-2026-41135 (Medium)

By /

Listen to this Post

The `RedirectHandler` middleware in Kiota HTTP libraries (Java, .NET, Python, TypeScript, Go) follows 3xx redirects to a different host or scheme without stripping all sensitive HTTP headers. It removes only the `Authorization` header, but forwards Cookie, Proxy-Authorization, and any custom authentication headers (e.g., X-API-Key). This behavior is enabled by default in every Kiota client created via KiotaClientFactory.create(), because the library explicitly disables the secure redirect handling built into the underlying HTTP stack (e.g., OkHttp) and uses its own flawed implementation. The vulnerable code in `RedirectHandler.java` only checks for same scheme/host and then removes only the `Authorization` header. All other sensitive headers remain in the forwarded request, leaking them to the untrusted redirect target. This bug exists across all Kiota language implementations and can be triggered by any 3xx redirect (301, 302, 303, 307, 308) to an external domain, exposing session cookies, proxy credentials, and API keys to an attacker who controls the redirect destination.

DailyCVE Form

Platform: kiota-java
Version: ≤1.9.0
Vulnerability : Info leak
Severity: Medium
date: 2024-09-26

Prediction: 2024-10-15

Analytics

What Undercode Say:

Detect presence of vulnerable RedirectHandler
grep -r "RedirectHandler" . --include=".java" | grep -v "test"
Check if KiotaClientFactory disables native redirect handling
grep -A5 "setFollowRedirects" $(find . -name "KiotaClientFactory.java")

// Simulate the vulnerable redirect logic
if (!sameScheme || !sameHost) {
requestBuilder.removeHeader("Authorization");
// Cookie, Proxy-Authorization, X-API-Key remain -> leaked
}

Exploit

  1. Attacker poisons an API response with a 302 redirect to evil.attacker.com.
  2. Kiota client automatically follows redirect, forwarding all headers except Authorization.
  3. Attacker receives Cookie, Proxy-Authorization, and custom auth headers.

Protection from this CVE

  • Upgrade to Kiota version ≥1.10.0.
  • Replace `RedirectHandler` with a secure implementation or re-enable OkHttp’s native redirect handler.
  • Validate all redirect locations before permitting client to follow them.

Impact

Session hijacking, corporate proxy credential theft, and API key leakage. All consumers of Kiota libraries are affected, including the Microsoft Graph SDK for Java.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top