CVE-2026-40175 — Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Description

Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This vulnerability is fixed in 1.15.0 and 0.3.1.

How to fix CVE-2026-40175

To remediate CVE-2026-40175, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.15.0 or later

Is CVE-2026-40175 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 1.0.0, < 1.15.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40175
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-40175
PATCHgithub.com/axios/axios
WEBcert-portal.siemens.com/productcert/html/ssa-876049.html
WEB