diff --git a/RELEASE_NOTES.txt b/RELEASE_NOTES.txt
index 38eca1dd1..de0a9a4de 100644
--- a/RELEASE_NOTES.txt
+++ b/RELEASE_NOTES.txt
@@ -1,5 +1,9 @@
 Changes since 4.1
 
+* [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target
+  host when tunneling requests through a proxy server that requires authentication.
+  Contributed by Oleg Kalnichevski <olegk at apache.org>
+
 * [HTTPCLIENT-1056] Fixed bug causing the RequestAuthCache protocol interceptor to generate
   an invalid AuthScope instance when looking up user credentials for preemptive authentication. 
   Contributed by Oleg Kalnichevski <olegk at apache.org>
diff --git a/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java b/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java
index 1105e37fb..659faf50b 100644
--- a/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java
+++ b/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java
@@ -43,6 +43,9 @@ import org.apache.http.auth.AuthState;
 import org.apache.http.auth.AuthenticationException;
 import org.apache.http.auth.ContextAwareAuthScheme;
 import org.apache.http.auth.Credentials;
+import org.apache.http.conn.HttpRoutedConnection;
+import org.apache.http.conn.routing.HttpRoute;
+import org.apache.http.protocol.ExecutionContext;
 import org.apache.http.protocol.HttpContext;
 
 /**
@@ -74,6 +77,13 @@ public class RequestProxyAuthentication implements HttpRequestInterceptor {
             return;
         }
 
+        HttpRoutedConnection conn = (HttpRoutedConnection) context.getAttribute(
+                ExecutionContext.HTTP_CONNECTION);
+        HttpRoute route = conn.getRoute();
+        if (route.isTunnelled()) {
+            return;
+        }
+
         // Obtain authentication state
         AuthState authState = (AuthState) context.getAttribute(
                 ClientContext.PROXY_AUTH_STATE);