HIGHCVE-2026-40542Published Modified CNA apache
CVE-2026-40542: Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- 5.6.1
- Affected Products
- 1
Fix available
5.6.1
Affected packages
- Apache Software Foundation / Apache HttpClient< 5.6.1 (from 5.6)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LReferences