CVE-2026-40542

⚠️ high

Summary

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.

CVSS Score

7.3

High

EPSS Score

0.1

Exploit Probability

Published Date

2026-04-22

First Seen: 2026-05-03

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 55.5% of all 329,456 vulnerabilities in our database.

#146,766

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: Apr 22, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Partial

Limited system impact

🏆 Discovered By

Rasmus Moorats

SSVC data provided by CISA

Last Modified 2026-05-01

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE IDs (Weakness Types)

CWE-304

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
apache	httpclient	Affected	v5.6

🔗 References 2

https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z...

Mailing List Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/04/22/5

Mailing List Third Party Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2025-27820	⚠️ high	7.5	0.1	A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host na...	2025-04-24
CVE-2020-13956	🔶 medium	5.3	0.5	Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request U...	2020-12-02
CVE-2013-4366	⛔ critical	9.8	1.3	http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifie...	2017-10-30
CVE-2015-5262	🔶 medium	4.3	0.9	http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.t...	2015-10-27
CVE-2014-3577	🔶 medium	5.8	9.2	org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4....	2014-08-21
CVE-2012-5783	🔶 medium	5.8	0.7	Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, d...	2012-11-04

These CVEs affect the same products