7.3
CVE-2026-40542
- EPSS 0.46%
- Veröffentlicht 22.04.2026 07:07:21
- Zuletzt bearbeitet 30.06.2026 03:19:18
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Apache ≫ Httpclient Version5.6 Update-
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.46% | 0.363 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.3 | 3.9 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.3 | 3.9 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
|
CWE-304 Missing Critical Step in Authentication
The product implements an authentication technique, but it skips a step that weakens the technique.
CWE-325 Missing Cryptographic Step
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97
http://www.openwall.com/lists/oss-security/2026/04/22/5
https://access.redhat.com/security/cve/CVE-2026-40542
https://bugzilla.redhat.com/show_bug.cgi?id=2460518
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40542.json