AsyncHttpClient CVE-2026-40490 Authorization Credentials Leaked on Cross-Origin Redirects

Vulnerability Overview Title: Authorization credentials leaked to untrusted domains on cross-origin redirects CVE ID: CVE-2026-40490 CVSS Score: 6.8 / 10 Severity: Moderate Release Date: Last week Affected Versions: < 3.0.9 and < 2.14.5 Fixed Versions: 3.0.9 and 2.14.5 --- Impact Scope When is enabled, AsyncHttpClient forwards the Authorization and Proxy-Authorization headers as well as Realm credentials to any redirect target, regardless of its domain, protocol, or port. This can lead to credential leakage during cross-origin redirects and HTTPS-to-HTTP downgrade scenarios. Even with set, Realm objects containing plaintext credentials will still propagate to redirected requests, causing Basic and Digest authentication schemes to regenerate credentials via NettyRequestFactory. An attacker can capture Bearer tokens, basic authentication credentials, or any other Authorization header values by controlling the redirect target (e.g., open redirect, DNS rebinding, or MITM over HTTP). --- Remediation Upgrade Version: Users should immediately upgrade to version 3.0.9 or 2.14.5. Automatic Fix: The fix automatically strips Authorization and Proxy-Authorization headers and clears Realm credentials when a redirect crosses different domain boundaries (different protocol, host, or port) or downgrades from HTTPS to HTTP. --- Temporary Mitigations For users unable to upgrade: Set in the client configuration and avoid using Realm-based authentication while enabling redirect following. Note: Setting only is insufficient in versions prior to 3.0.9, because Realm bypass will still regenerate credentials. Alternatively, disable redirect following ( ) and manually handle redirects with origin validation. --- References Fix Commit: 827fab7fe

Goal Reached Thanks to every supporter — we hit 100%!

AsyncHttpClient CVE-2026-40490 Authorization Credentials Leaked on Cross-Origin Redirects

More from this source