Detections
Analytics

SCA: security update for @microsoft/kiota-http-fetchlibrary (GHSA-396q-4vc8-28x9)

medium Tenable Self-Hosted Container Security Plugin ID 444052

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - @microsoft/kiota-http-fetchlibrary provides TypeScript libraries for Kiota-generated API clients. In
 versions 1.0.0-preview.97 through 1.0.0-preview.101, `@microsoft/kiota-http-fetchlibrary`'s
 `RedirectHandler` is documented as stripping `Authorization` and `Cookie` from cross-origin redirect
 targets, but the default `scrubSensitiveHeaders` callback in `RedirectHandlerOptions` uses case-sensitive
 property deletion (`delete headers.Authorization`, `delete headers.Cookie`) on a headers object that
 `FetchRequestAdapter.getRequestFromRequestInformation` has already lower-cased. The delete therefore
 targets keys that do not exist, the scrub is a no-op, and any Bearer token or Cookie attached by a kiota-
 generated SDK is forwarded to an attacker-controlled host across a 30x redirect. This is reachable in the
 default middleware chain (`MiddlewareFactory.getDefaultMiddlewares`) with no custom configuration, and
 applies to every kiota-generated TypeScript SDK that uses `BaseBearerTokenAuthenticationProvider` or any
 other authentication provider that sets the `Authorization` request header. Version 1.0.0-preview.102
 patches the issue. (CVE-2026-49336)

Solution

Update the @microsoft/kiota-http-fetchlibrary library and its related packages to version 1.0.0-preview.102 or later.

See Also

https://github.com/advisories/GHSA-396q-4vc8-28x9

Plugin Details

Severity: Medium

ID: 444052

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 6/27/2026

Updated: 6/29/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.2

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-49336

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/26/2026

Vulnerability Publication Date: 6/19/2026

Reference Information

CVE: CVE-2026-49336