CVE-2026-44495 is a prototype pollution vulnerability in the axios HTTP client library affecting any Node.js or browser-based application built on axios where attacker-controlled data can reach the library’s configuration merge logic. Successful exploitation enables theft of Authorization headers and cookies and manipulation of HTTP response handling. The affected version range has not yet been confirmed in available source data; organizations must query their software bill of materials for all axios versions and monitor GHSA-3g43-6gmg-66jw for patch confirmation.