CVE-2026-40175

Published April 11, 2026 · Updated April 11, 2026

10.0CVSS

critical

What This Means

CVE-2026-40175 affects Axios versions prior to 1.15.0 and is rated with a CVSS score of 10, indicating critical severity. This vulnerability allows a "Gadget" attack chain to exploit Prototype Pollution in any third-party dependency, potentially leading to Remote Code Execution (RCE) and Full Cloud Compromise through AWS IMDSv2 bypass. Upgrade to Axios version 1.15.0 or later immediately to mitigate this risk.

Official Description+

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-40175.

Related Coverage

Vvulnerability

🚨 Critical Vulnerability in Axios: CVE-2026-40175 Allows RCE and Cloud Compromise

CVE-2026-40175 affects Axios versions before 1.15.0, leading to potential RCE and cloud compromise. Upgrade to version 1.15.0 immediately.

NVD·3h ago·3 min read