UBUNTU-CVE-2026-40490

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-40490

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40490.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-40490

Upstream

CVE-2026-40490

Published

2026-04-18T02:16:00Z

Modified

2026-05-20T16:25:39.654329651Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set (stripAuthorizationOnRedirect(true)) in the client config and avoid using Realm-based authentication with redirect following enabled. Note that (stripAuthorizationOnRedirect(true)) alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (followRedirect(false)) and handle redirects manually with origin validation.

References

Affected packages

Ubuntu:16.04:LTS

async-http-client

Package

Name: async-http-client
Purl: pkg:deb/ubuntu/async-http-client?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.5-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libasync-http-client-java",
            "binary_version": "1.6.5-4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40490.json"

Ubuntu:18.04:LTS

async-http-client

Package

Name: async-http-client
Purl: pkg:deb/ubuntu/async-http-client?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.5-4

1.6.5-5

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libasync-http-client-java",
            "binary_version": "1.6.5-5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40490.json"

Ubuntu:20.04:LTS

async-http-client

Package

Name: async-http-client
Purl: pkg:deb/ubuntu/async-http-client?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libasync-http-client-java",
            "binary_version": "2.6.0-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40490.json"

Ubuntu:22.04:LTS

async-http-client

Package

Name: async-http-client
Purl: pkg:deb/ubuntu/async-http-client?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.12.2-1

2.12.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libasync-http-client-java",
            "binary_version": "2.12.3-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40490.json"

Ubuntu:24.04:LTS

async-http-client

Package

Name: async-http-client
Purl: pkg:deb/ubuntu/async-http-client?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.12.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libasync-http-client-java",
            "binary_version": "2.12.3-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40490.json"

Ubuntu:25.10

async-http-client

Package

Name: async-http-client
Purl: pkg:deb/ubuntu/async-http-client?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.12.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libasync-http-client-java",
            "binary_version": "2.12.3-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40490.json"

Ubuntu:26.04:LTS

async-http-client

Package

Name: async-http-client
Purl: pkg:deb/ubuntu/async-http-client?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.12.3-1

2.12.3-1ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libasync-http-client-java",
            "binary_version": "2.12.3-1ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40490.json"

Ubuntu:Pro:14.04:LTS

async-http-client

Package

Name: async-http-client
Purl: pkg:deb/ubuntu/async-http-client?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.5-1

1.6.5-2

1.6.5-2ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libasync-http-client-java",
            "binary_version": "1.6.5-2ubuntu0.1~esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40490.json"