CVE-2026-45300

Source
https://cve.org/CVERecord?id=CVE-2026-45300
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45300.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45300
Aliases
Downstream
Related
Published
2026-06-05T19:32:43.547Z
Modified
2026-07-15T01:49:05.061260232Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
async-http-client: Cookie header not stripped on cross-origin redirect
Details

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak Cookie headers to cross-origin redirect targets. When following a redirect to a different origin, the propagatedHeaders() method in Redirect30xInterceptor.java strips Authorization and Proxy-Authorization headers but does not strip the Cookie header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45300.json",
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/asynchttpclient/async-http-client

Affected ranges

Type
GIT
Repo
https://github.com/asynchttpclient/async-http-client
Events
Database specific
{
    "cpe": "cpe:2.3:a:asynchttpclient_project:async-http-client:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.15.0"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.10"
        }
    ]
}

Affected versions

async-http-client-project-2.*
async-http-client-project-2.0.0
async-http-client-project-2.0.1
async-http-client-project-2.0.10
async-http-client-project-2.0.11
async-http-client-project-2.0.12
async-http-client-project-2.0.13
async-http-client-project-2.0.14
async-http-client-project-2.0.15
async-http-client-project-2.0.16
async-http-client-project-2.0.17
async-http-client-project-2.0.18
async-http-client-project-2.0.19
async-http-client-project-2.0.2
async-http-client-project-2.0.20
async-http-client-project-2.0.21
async-http-client-project-2.0.22
async-http-client-project-2.0.23
async-http-client-project-2.0.24
async-http-client-project-2.0.3
async-http-client-project-2.0.4
async-http-client-project-2.0.5
async-http-client-project-2.0.6
async-http-client-project-2.0.7
async-http-client-project-2.0.8
async-http-client-project-2.0.9
async-http-client-project-2.1.0
async-http-client-project-2.1.0-RC1
async-http-client-project-2.1.0-RC2
async-http-client-project-2.1.0-RC3
async-http-client-project-2.1.0-RC4
async-http-client-project-2.1.0-alpha10
async-http-client-project-2.1.0-alpha11
async-http-client-project-2.1.0-alpha12
async-http-client-project-2.1.0-alpha13
async-http-client-project-2.1.0-alpha14
async-http-client-project-2.1.0-alpha15
async-http-client-project-2.1.0-alpha16
async-http-client-project-2.1.0-alpha17
async-http-client-project-2.1.0-alpha18
async-http-client-project-2.1.0-alpha19
async-http-client-project-2.1.0-alpha2
async-http-client-project-2.1.0-alpha20
async-http-client-project-2.1.0-alpha21
async-http-client-project-2.1.0-alpha22
async-http-client-project-2.1.0-alpha23
async-http-client-project-2.1.0-alpha24
async-http-client-project-2.1.0-alpha25
async-http-client-project-2.1.0-alpha26
async-http-client-project-2.1.0-alpha3
async-http-client-project-2.1.0-alpha4
async-http-client-project-2.1.0-alpha5
async-http-client-project-2.1.0-alpha6
async-http-client-project-2.1.0-alpha7
async-http-client-project-2.1.0-alpha8
async-http-client-project-2.1.0-alpha9
async-http-client-project-2.1.1
async-http-client-project-2.1.2
async-http-client-project-2.10.0
async-http-client-project-2.10.1
async-http-client-project-2.10.2
async-http-client-project-2.10.3
async-http-client-project-2.10.4
async-http-client-project-2.10.5
async-http-client-project-2.11.0
async-http-client-project-2.12.0
async-http-client-project-2.12.1
async-http-client-project-2.12.2
async-http-client-project-2.12.3
async-http-client-project-2.12.4
async-http-client-project-2.14.5
async-http-client-project-2.2.0
async-http-client-project-2.2.1
async-http-client-project-2.3.0
async-http-client-project-2.4.0
async-http-client-project-2.4.1
async-http-client-project-2.4.2
async-http-client-project-2.4.3
async-http-client-project-2.4.4
async-http-client-project-2.4.5
async-http-client-project-2.4.6
async-http-client-project-2.4.7
async-http-client-project-2.4.8
async-http-client-project-2.4.9
async-http-client-project-2.5.0
async-http-client-project-2.5.1
async-http-client-project-2.5.2
async-http-client-project-2.5.3
async-http-client-project-2.5.4
async-http-client-project-2.6.0
async-http-client-project-2.7.0
async-http-client-project-2.8.0
async-http-client-project-2.8.1
async-http-client-project-2.9.0
async-http-client-project-3.*
async-http-client-project-3.0.0
async-http-client-project-3.0.1
async-http-client-project-3.0.2
async-http-client-project-3.0.3
async-http-client-project-3.0.4
async-http-client-project-3.0.5
async-http-client-project-3.0.6
async-http-client-project-3.0.7
async-http-client-project-3.0.8
async-http-client-project-3.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45300.json"