Description
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Published: 2026-04-22
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in a missing critical step during SCRAM‑SHA‑256 authentication in Apache HttpClient. Because of this, an attacker can compel the client to accept a SCRAM‑SHA‑256 authentication exchange without the necessary mutual verification, effectively bypassing the intended security check. This bypass allows an attacker to impersonate a legitimate client or service, potentially compromising confidentiality and integrity of all authenticated sessions that rely on this client. Additionally, this flaw is associated with CWE‑325.

Affected Systems

Apache Software Foundation’s Apache HttpClient is affected, specifically version 5.6. The issue is fixed starting with version 5.6.1; earlier releases are vulnerable.

Risk and Exploitability

The vulnerability is an authentication bypass (CWE‑304) and also involves CWE‑325. The CVSS score of 7.3 indicates a high severity, and the EPSS score is below 1 %, implying the likelihood of exploitation is currently low. It is not listed in the CISA KEV catalog. Because the flaw involves the authentication protocol, the likely attack vector is a network‑based request directed at a system that uses HttpClient for SCRAM‑SHA‑256 mutual authentication. The impact is that an attacker can establish a session that the client will treat as authenticated even though mutual verification did not occur. Though exploit data is limited, this loss of authentication control poses a high risk to any application that relies on this client for secure communications.

Generated by OpenCVE AI on May 5, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HttpClient to version 5.6.1 or later.
  • If upgrading is not immediately possible, disable SCRAM‑SHA‑256 mutual authentication or enforce additional authentication checks at the application layer.
  • Monitor authentication logs for anomalous success messages and validate that mutual authentication is being enforced after the migration.

Generated by OpenCVE AI on May 5, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v468-qcjx-r72w Apache HttpClient accepts SCRAM-SHA-256 authentication without proper mutual authentication verification
History

Tue, 05 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-325
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 01 May 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:httpclient:5.6:-:*:*:*:*:*:*

Wed, 22 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache httpclient
Vendors & Products Apache
Apache httpclient

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Title Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
Weaknesses CWE-304
References

Subscriptions

Apache Httpclient
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-22T16:23:59.296Z

Reserved: 2026-04-14T09:11:14.268Z

Link: CVE-2026-40542

cve-icon Vulnrichment

Updated: 2026-04-22T16:23:59.296Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T08:16:12.780

Modified: 2026-05-01T17:12:59.940

Link: CVE-2026-40542

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-22T07:07:21Z

Links: CVE-2026-40542 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T01:30:12Z

Weaknesses