7.3

CVE-2026-40542

EPSS 0.1%
Veröffentlicht 22.04.2026 07:07:21
Zuletzt bearbeitet 01.05.2026 17:12:59
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Httpclient Version5.6 Update-

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.274

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.3	3.9	3.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-304 Missing Critical Step in Authentication

The product implements an authentication technique, but it skips a step that weakens the technique.

https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/22/5

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-40542

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40542

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40542

EUVD