HIGH🇵🇱 Wersja polska

CVE-2026-40542

CVSS 7.3v3.1pub. 2026-04-22upd. 2026-06-30

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Apache Httpclient

    APP
    Apache
    5.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2013-4366CRITICAL9.8ten sam produkt

http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509Hostn...

CVE-2025-27820HIGH7.5ten sam produkt

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management a...

CVE-2020-13956MEDIUM5.3ten sam produkt

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in...

CVE-2015-5262MEDIUM4.3ten sam produkt

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the htt...

CVE-2014-3577MEDIUM5.8ten sam produkt

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient...