CVE-2026-40542

Source
https://cve.org/CVERecord?id=CVE-2026-40542
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40542.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40542
Aliases
Downstream
Related
Published
2026-04-22T07:07:21.344Z
Modified
2026-07-16T03:30:49.968644297Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
Details

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40542.json",
    "cwe_ids": [
        "CWE-304"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "5.6"
                },
                {
                    "fixed": "5.6.1"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/httpcomponents-client

Affected ranges

Type
GIT
Repo
https://github.com/apache/httpcomponents-client
Events
Database specific
{
    "cpe": "cpe:2.3:a:apache:httpclient:5.6:-:*:*:*:*:*:*",
    "source": "CPE_STRING",
    "extracted_events": [
        {
            "introduced": "5.6-NA"
        },
        {
            "last_affected": "5.6-NA"
        }
    ]
}

Affected versions

5.*
5.6-NA
5.6-RC1
rel/v5.*
rel/v5.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40542.json"