CVE-2026-40490

Source
https://cve.org/CVERecord?id=CVE-2026-40490
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40490.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40490
Aliases
Downstream
Related
Published
2026-04-18T01:31:13.860Z
Modified
2026-07-08T08:13:12.865559415Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects
Details

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set (stripAuthorizationOnRedirect(true)) in the client config and avoid using Realm-based authentication with redirect following enabled. Note that (stripAuthorizationOnRedirect(true)) alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (followRedirect(false)) and handle redirects manually with origin validation.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40490.json",
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/asynchttpclient/async-http-client

Affected ranges

Type
GIT
Repo
https://github.com/asynchttpclient/async-http-client
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "3.0.0.Beta1"
        },
        {
            "fixed": "3.0.9"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "2.14.5"
        }
    ]
}

Affected versions

2.*
2.0.0-alpha1
2.0.0-alpha2
2.0.0-alpha3
2.0.0-alpha4
2.0.0-alpha5
2.0.0-alpha6
2.0.0-alpha7
2.0.0-alpha8
async-http-client-1.*
async-http-client-1.0.0
async-http-client-1.2.0
async-http-client-1.3.0
async-http-client-1.3.1
async-http-client-1.3.2
async-http-client-1.4.0
async-http-client-1.4.1
async-http-client-1.5.0
async-http-client-1.6.0
async-http-client-1.6.1
async-http-client-1.6.2
async-http-client-1.6.3
async-http-client-1.7.0
async-http-client-1.7.1
async-http-client-1.7.2
async-http-client-1.7.3
async-http-client-1.7.4
async-http-client-project-2.*
async-http-client-project-2.0.0
async-http-client-project-2.0.0-RC1
async-http-client-project-2.0.0-RC10
async-http-client-project-2.0.0-RC11
async-http-client-project-2.0.0-RC12
async-http-client-project-2.0.0-RC13
async-http-client-project-2.0.0-RC14
async-http-client-project-2.0.0-RC15
async-http-client-project-2.0.0-RC16
async-http-client-project-2.0.0-RC17
async-http-client-project-2.0.0-RC18
async-http-client-project-2.0.0-RC19
async-http-client-project-2.0.0-RC2
async-http-client-project-2.0.0-RC20
async-http-client-project-2.0.0-RC21
async-http-client-project-2.0.0-RC3
async-http-client-project-2.0.0-RC4
async-http-client-project-2.0.0-RC5
async-http-client-project-2.0.0-RC6
async-http-client-project-2.0.0-RC7
async-http-client-project-2.0.0-RC8
async-http-client-project-2.0.0-RC9
async-http-client-project-2.0.0-alpha10
async-http-client-project-2.0.0-alpha11
async-http-client-project-2.0.0-alpha12
async-http-client-project-2.0.0-alpha13
async-http-client-project-2.0.0-alpha14
async-http-client-project-2.0.0-alpha15
async-http-client-project-2.0.0-alpha16
async-http-client-project-2.0.0-alpha17
async-http-client-project-2.0.0-alpha18
async-http-client-project-2.0.0-alpha19
async-http-client-project-2.0.0-alpha20
async-http-client-project-2.0.0-alpha21
async-http-client-project-2.0.0-alpha22
async-http-client-project-2.0.0-alpha23
async-http-client-project-2.0.0-alpha24
async-http-client-project-2.0.0-alpha25
async-http-client-project-2.0.0-alpha26
async-http-client-project-2.0.0-alpha27
async-http-client-project-2.0.0-alpha9
async-http-client-project-2.0.1
async-http-client-project-2.0.10
async-http-client-project-2.0.11
async-http-client-project-2.0.12
async-http-client-project-2.0.13
async-http-client-project-2.0.14
async-http-client-project-2.0.15
async-http-client-project-2.0.16
async-http-client-project-2.0.17
async-http-client-project-2.0.18
async-http-client-project-2.0.19
async-http-client-project-2.0.2
async-http-client-project-2.0.20
async-http-client-project-2.0.21
async-http-client-project-2.0.22
async-http-client-project-2.0.23
async-http-client-project-2.0.24
async-http-client-project-2.0.3
async-http-client-project-2.0.4
async-http-client-project-2.0.5
async-http-client-project-2.0.6
async-http-client-project-2.0.7
async-http-client-project-2.0.8
async-http-client-project-2.0.9
async-http-client-project-2.1.0
async-http-client-project-2.1.0-RC1
async-http-client-project-2.1.0-RC2
async-http-client-project-2.1.0-RC3
async-http-client-project-2.1.0-RC4
async-http-client-project-2.1.0-alpha10
async-http-client-project-2.1.0-alpha11
async-http-client-project-2.1.0-alpha12
async-http-client-project-2.1.0-alpha13
async-http-client-project-2.1.0-alpha14
async-http-client-project-2.1.0-alpha15
async-http-client-project-2.1.0-alpha16
async-http-client-project-2.1.0-alpha17
async-http-client-project-2.1.0-alpha18
async-http-client-project-2.1.0-alpha19
async-http-client-project-2.1.0-alpha2
async-http-client-project-2.1.0-alpha20
async-http-client-project-2.1.0-alpha21
async-http-client-project-2.1.0-alpha22
async-http-client-project-2.1.0-alpha23
async-http-client-project-2.1.0-alpha24
async-http-client-project-2.1.0-alpha25
async-http-client-project-2.1.0-alpha26
async-http-client-project-2.1.0-alpha3
async-http-client-project-2.1.0-alpha4
async-http-client-project-2.1.0-alpha5
async-http-client-project-2.1.0-alpha6
async-http-client-project-2.1.0-alpha7
async-http-client-project-2.1.0-alpha8
async-http-client-project-2.1.0-alpha9
async-http-client-project-2.1.1
async-http-client-project-2.1.2
async-http-client-project-2.10.0
async-http-client-project-2.10.1
async-http-client-project-2.10.2
async-http-client-project-2.10.3
async-http-client-project-2.10.4
async-http-client-project-2.10.5
async-http-client-project-2.11.0
async-http-client-project-2.12.0
async-http-client-project-2.12.1
async-http-client-project-2.12.2
async-http-client-project-2.12.3
async-http-client-project-2.12.4
async-http-client-project-2.2.0
async-http-client-project-2.2.1
async-http-client-project-2.3.0
async-http-client-project-2.4.0
async-http-client-project-2.4.1
async-http-client-project-2.4.2
async-http-client-project-2.4.3
async-http-client-project-2.4.4
async-http-client-project-2.4.5
async-http-client-project-2.4.6
async-http-client-project-2.4.7
async-http-client-project-2.4.8
async-http-client-project-2.4.9
async-http-client-project-2.5.0
async-http-client-project-2.5.1
async-http-client-project-2.5.2
async-http-client-project-2.5.3
async-http-client-project-2.5.4
async-http-client-project-2.6.0
async-http-client-project-2.7.0
async-http-client-project-2.8.0
async-http-client-project-2.8.1
async-http-client-project-2.9.0
async-http-client-project-3.*
async-http-client-project-3.0.0
async-http-client-project-3.0.0.Beta2
async-http-client-project-3.0.0.Beta3
async-http-client-project-3.0.1
async-http-client-project-3.0.2
async-http-client-project-3.0.3
async-http-client-project-3.0.4
async-http-client-project-3.0.5
async-http-client-project-3.0.6
async-http-client-project-3.0.7
async-http-client-project-3.0.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40490.json"