Open Redirect in Microsoft Github.com/microsoft/kiota-http-go

CVE-2026-44503

The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Onl…

Vulnerability class: Open Redirect

EPSS: 0.001 (23.5th percentile) — read the EPSS interpretation.

Affected products

Microsoft Github.com/microsoft/kiota-http-go — versions < 1.5.5
Microsoft Kiota-java — versions < 1.9.1
Microsoft Kiota-typescript — versions < 1.0.0-preview.100
Microsoft Microsoft-kiota-abstractions — versions < 1.9.1
Microsoft Microsoft.kiota.abstractions — versions < 1.22.0
Microsoft Microsoft-kiota-http — versions < 1.9.9

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

security-advisories@github.com (x_refsource_CONFIRM)