7.3

CVE-2026-40542

Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheHttpclient Version5.6 Update-
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.46% 0.363
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.3 3.9 3.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.3 3.9 3.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE-304 Missing Critical Step in Authentication

The product implements an authentication technique, but it skips a step that weakens the technique.

CWE-325 Missing Cryptographic Step

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/04/22/5
Third Party Advisory
Mailing List
https://access.redhat.com/security/cve/CVE-2026-40542
https://bugzilla.redhat.com/show_bug.cgi?id=2460518
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40542.json