Description
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Published: 2026-04-22
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

The vulnerability lies in a missing critical step during SCRAM‑SHA‑256 authentication in Apache HttpClient. Because of this, an attacker can compel the client to accept a SCRAM‑SHA‑256 authentication exchange without the necessary mutual verification, effectively bypassing the intended security check. This bypass allows an attacker to impersonate a legitimate client or service, potentially compromising confidentiality and integrity of all authenticated sessions that rely on this client.

Affected Systems

Apache Software Foundation’s Apache HttpClient is affected, specifically version 5.6. The issue is fixed starting with version 5.6.1; earlier releases are vulnerable.

Risk and Exploitability

The vulnerability is an authentication bypass (CWE‑304). The CVSS score of 7.3 indicates a high severity, and the EPSS score is below 1 %, implying the likelihood of exploitation is currently low. It is not listed in the CISA KEV catalog. Because the flaw involves the authentication protocol, the likely attack vector is a network‑based request directed at a system that uses HttpClient for SCRAM‑SHA‑256 mutual authentication. The impact is that an attacker can establish a session that the client will treat as authenticated even though mutual verification did not occur. Though exploit data is limited, this loss of authentication control poses a high risk to any application that relies on this client for secure communications.

Generated by OpenCVE AI on April 22, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HttpClient to version 5.6.1 or later.
  • If upgrading is not immediately possible, disable SCRAM‑SHA‑256 mutual authentication or enforce additional authentication checks at the application layer.
  • Monitor authentication logs for anomalous success messages and validate that mutual authentication is being enforced after the migration.

Generated by OpenCVE AI on April 22, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache httpclient
Vendors & Products Apache
Apache httpclient

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Title Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
Weaknesses CWE-304
References

Subscriptions

Apache Httpclient
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-22T16:23:59.296Z

Reserved: 2026-04-14T09:11:14.268Z

Link: CVE-2026-40542

cve-icon Vulnrichment

Updated: 2026-04-22T16:23:59.296Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T08:16:12.780

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-40542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses