Axios Releases Security Update to Address Critical Vulnerability
CVE‑2026‑40175 could be used in an attack chain to allow for remote code execution or full cloud compromise
Summary
CVE‑2026‑40175 could be used in an attack chain to allow for remote code execution or full cloud compromise
Affected platforms
The following platforms are known to be affected:
Threat details
Proof-of-Concept for CVE-2026-40175
A public proof‑of‑concept exploit has been released demonstrating exploitation of CVE‑2026‑40175 via a chained “gadget” attack.
The NHS England National CSOC assesses that as a proof-of-concept exploit is available, exploitation is highly likely.
Introduction
Axios has released a security update to address a critical vulnerability in the Axios HTTP client library. Successful exploitation could allow an attacker to escalate prototype pollution in third‑party dependencies into remote code execution or full cloud environment compromise, including credential theft from cloud metadata services.
- CVE‑2026‑40175 – An 'improper input validation / header injection' vulnerability – CVSS v3.1: 10.0
Remediation advice
Affected organisations are strongly encouraged to review the Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain advisory and upgrade to Axios version 1.15.0 or later as soon as possible
Definitive source of threat updates
Last edited: 14 April 2026 3:06 pm