CVE-2026-40175 affects the Axios npm package and is characterized in OSV advisory GHSA-fvcv-3m26-pcqx as an HTTP header injection enabling cloud metadata exfiltration and credential theft via SSRF to cloud instance metadata endpoints (AWS IMDSv1, GCP, Azure IMDS); CVSS scoring and confirmed affected version ranges are pending NVD publication and should not be assumed from secondary sources. Claims of RCE and prototype pollution appearing in secondary coverage carry low confidence and are not confirmed by the authoritative OSV source. Priority score is low (0.1) reflecting the absence of confirmed exploitation or CISA KEV status, but cloud-hosted Node.js applications using Axios should enforce IMDSv2, block egress to 169.254.169.254, and monitor for the patched version release via OSV advisory GHSA-fvcv-3m26-pcqx. Note: Axios is also implicated in the separate supply chain campaign (SCC-CAM-2026-0169); organizations should address both tracks independently.