CVE-2026-40542— Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40542
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification
Source: NVD (National Vulnerability Database)
Vulnerability Description
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证中关键步骤缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache HttpClient 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache HttpClient是美国阿帕奇(Apache)基金会的一个 Java 编写的访问HTTP资源的客户端程序。该程序用于使用HTTP协议访问网络资源。 Apache HttpClient 5.6版本存在安全漏洞,该漏洞源于身份验证中缺少关键步骤,可能导致攻击者使客户端在没有适当相互身份验证验证的情况下接受SCRAM-SHA-256身份验证。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache HttpClient | 5.6 ~ 5.6.1 | - |
II. Public POCs for CVE-2026-40542
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40542
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: Apache HttpClient
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
V. Comments for CVE-2026-40542
No comments yet