Description
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.
Published: 2026-04-18
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure
Action: Patch Now
AI Analysis

Impact

The AsyncHttpClient library, used to perform asynchronous HTTP requests, permits redirect following. When enabled, headers that contain credentials, including Authorization and Proxy-Authorization, as well as the Realm object holding plaintext credentials, are forwarded to any redirect target. This occurs even when the redirect crosses origin boundaries or degrades from HTTPS to HTTP. Consequently, an attacker who controls a redirect target can capture Bearer tokens, Basic authentication credentials, or other Authorization header values, leading to unauthorized disclosure.

Affected Systems

Java applications that use AsyncHttpClient async-http-client versions earlier than 3.0.9 or 2.14.5 and that enable redirect following are vulnerable. The issue exists in all projects that have not applied the fixed releases identified in the advisories.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, and the EPSS score of <1% indicates a low likelihood of exploitation. The vulnerability is not yet listed in CISA’s KEV catalog. Based on the description, it is inferred that the primary attack vector is remote, exploiting HTTP redirects, open redirects, or other mechanisms that allow an attacker to control the redirect target. An adversary could obtain authentication tokens by redirecting client requests to a malicious server, potentially leading to credential compromise.

Generated by OpenCVE AI on April 22, 2026 at 03:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AsyncHttpClient to version 3.0.9 or 2.14.5 or later, where redirect handling automatically strips header credentials on origin change.
  • If an upgrade is not immediately possible, configure the client with stripAuthorizationOnRedirect(true) and refrain from using Realm-based authentication when redirect following is enabled.
  • Alternatively, disable automatic redirect following (followRedirect(false)) and implement manual redirect handling with strict origin validation.

Generated by OpenCVE AI on April 22, 2026 at 03:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cmxv-58fp-fm3g AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects
History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Asynchttpclient Project
Asynchttpclient Project async-http-client
Vendors & Products Asynchttpclient Project
Asynchttpclient Project async-http-client
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.
Title AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Asynchttpclient Project Async-http-client
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T14:55:50.254Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40490

cve-icon Vulnrichment

Updated: 2026-04-20T14:51:48.455Z

cve-icon NVD

Status : Deferred

Published: 2026-04-18T02:16:11.977

Modified: 2026-04-20T18:59:16.353

Link: CVE-2026-40490

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-18T01:31:13Z

Links: CVE-2026-40490 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:45:06Z

Weaknesses