oss-sec mailing list archives
[SECURITY] CVE-2026-40542: Apache HttpClient 5.6 SCRAM-SHA-256 mutual authentication bypass
From: Arturo Bernal <abernal () apache org>
Date: Wed, 22 Apr 2026 08:47:31 +0200
Severity: important Affected versions: - Apache HttpClient 5.6 Description: A missing critical step in authentication in Apache HttpClient 5.6 may allow an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to Apache HttpClient 5.6.1. which corrects this issue. Credit: This issue was reported by Rasmus Moorats. References: https://hc.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-40542 https://github.com/apache/httpcomponents-client/commit/726eac2323d370435d8afca1e0540aa099927f18 Arturo
Current thread:
- [SECURITY] CVE-2026-40542: Apache HttpClient 5.6 SCRAM-SHA-256 mutual authentication bypass Arturo Bernal (Apr 22)
