Description
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.
Published: 2026-04-18
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure
Action: Patch Now
AI Analysis

Impact

The AsyncHttpClient library, used by Java applications to perform HTTP requests, forwards Authorization and Proxy-Authorization headers to any redirect target when redirect following is enabled. This occurs even when the request crosses origin boundaries—different host, scheme, or port—or when the connection downgrades from HTTPS to HTTP. The library also propagates the Realm object that stores plaintext credentials, causing re‑generation of Basic or Digest authentication values during a redirect. An attacker who controls a redirect target, for example through an open redirect, DNS rebinding, or an HTTP man‑in‑the‑middle, can capture Bearer tokens, Basic auth credentials, or other Authorization header values. This results in an unauthorized disclosure of user credentials, classified under CWE‑200.

Affected Systems

Java applications that use AsyncHttpClient (async-http-client) with redirect following enabled and that are running versions earlier than 3.0.9 or 2.14.5 are vulnerable. The issue affects any project that imports the library without upgrading to the fixed releases.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, and the vulnerability is not currently listed in CISA's KEV catalog. Although the EPSS score is unavailable, the exploit would require an attacker to control a redirect target, which is a realistic scenario for applications that do not validate redirect URLs. With the vulnerability in effect, an adversary could capture sensitive authentication tokens by redirecting requests to a malicious server, potentially leading to credential compromise. The main attack vector is remote, leveraging HTTP redirects or open redirects to coerce the client into sending credentials to an attacker‑controlled domain.

Generated by OpenCVE AI on April 18, 2026 at 08:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AsyncHttpClient to version 3.0.9 or 2.14.5 or later, where redirect handling automatically strips header credentials on origin change.
  • If an upgrade is not immediately possible, configure the client with stripAuthorizationOnRedirect(true) and refrain from using Realm‑based authentication when redirect following is enabled.
  • Alternatively, disable automatic redirect following (followRedirect(false)) and implement manual redirect handling with strict origin validation.

Generated by OpenCVE AI on April 18, 2026 at 08:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cmxv-58fp-fm3g AsyncHttpClient leaks authorization credentialsto untrusted domains on cross-origin redirects
History

Sat, 18 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versions of AsyncHttpClient prior to 3.0.9 and 2.14.5 forward Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and HTTPS-to-HTTP downgrades. Additionally, even when stripAuthorizationOnRedirect is set to true, the Realm object containing plaintext credentials is still propagated to the redirect request, causing credential re-generation for Basic and Digest authentication schemes via NettyRequestFactory. An attacker who controls a redirect target (via open redirect, DNS rebinding, or MITM on HTTP) can capture Bearer tokens, Basic auth credentials, or any other Authorization header value. The fix in versions 3.0.9 and 2.14.5 automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials whenever a redirect crosses origin boundaries (different scheme, host, or port) or downgrades from HTTPS to HTTP. For users unable to upgrade, set `(stripAuthorizationOnRedirect(true))` in the client config and avoid using Realm-based authentication with redirect following enabled. Note that `(stripAuthorizationOnRedirect(true))` alone is insufficient on versions prior to 3.0.9 and 2.14.5 because the Realm bypass still re-generates credentials. Alternatively, disable redirect following (`followRedirect(false)`) and handle redirects manually with origin validation.
Title AsyncHttpClient leaks authorization credentials to untrusted domains on cross-origin redirects
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T01:31:13.860Z

Reserved: 2026-04-13T19:50:42.114Z

Link: CVE-2026-40490

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T02:16:11.977

Modified: 2026-04-18T02:16:11.977

Link: CVE-2026-40490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses