CVE-2026-42264
Published: 08 May 2026
Summary
CVE-2026-42264 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Axios Axios. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Protocols (T1071.001); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28505
Vulnerability details
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty…
more
guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Prototype pollution gadget directly manipulates Axios HTTP adapter properties (baseURL, auth, beforeRedirect), enabling control over outbound web requests and data exfiltration.
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.