HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45300Published Modified CNA GitHub_M

CVE-2026-45300: async-http-client: Cookie header not stripped on cross-origin redirect

The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue.

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a sensitive header leak in the AsyncHttpClient (AHC) Java library. When the library follows an HTTP redirect to a different origin, it correctly strips the Authorization header but fails to strip the Cookie header, meaning session cookies and other sensitive cookie values are forwarded to the redirect target. An attacker who can influence the redirect destination (for example, via an open redirect on a trusted service) can receive those cookies and use them to impersonate the victim. A patched-image rebuild at versions 2.15.0 and 3.0.10 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the async-http-client JAR. Any image on the 2.x branch below 2.15.0 or the 3.x branch below 3.0.10 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.4 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Patched-image rebuilds at async-http-client 2.15.0 and 3.0.10 are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the affected service over the network to trigger or influence the HTTP request and its redirect chain.

  • AuthenticationNot required

    No authentication is needed; the attacker exploits the redirect behavior without holding any account credentials on the target service.

  • Victim interactionRequired

    A user or application must initiate an HTTP request that the attacker can redirect to an attacker-controlled origin, making victim participation a prerequisite.

  • Attack complexityDetail

    The exploit is reliable and condition-free once a redirect to an attacker-controlled origin can be arranged; no race conditions or special memory layout are required.

Blast Radius

  • An attacker receives the victim's session cookies forwarded by the redirect, enabling them to replay those cookies and impersonate the victim against the originating service.
  • Any other sensitive values stored in cookies (authentication tokens, CSRF tokens, user identifiers) are also disclosed to the attacker-controlled redirect target.
  • Downstream services that accept those cookies as proof of identity are exposed to unauthorized access without any additional credentials.

How HarborGuard Handles This

Available on HarborGuard: images containing async-http-client on the affected 2.x or 3.x ranges are flagged at ingest, and patched rebuilds at versions 2.15.0 and 3.0.10 become available immediately. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the fixed version, runs a regression test pass, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with CVSS scoring and policy context attached. As an interim compensating control, network policy rules that restrict outbound HTTP from AHC-based services to a known-good allowlist of origins reduce the opportunity for attacker-influenced redirects to reach external hosts.

See how HarborGuard automates this
Affected packages
  • AsyncHttpClient / async-http-client
    >= 3.0.0.Beta1, < 3.0.10 · >= 2.0.0, < 2.15.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
References