{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40542", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-14T09:11:14.268Z", "datePublished": "2026-04-22T07:07:21.344Z", "dateUpdated": "2026-04-22T16:23:59.296Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.httpcomponents.client5:httpclient5", "product": "Apache HttpClient", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.6.1", "status": "affected", "version": "5.6", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rasmus Moorats"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<code>Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.</code><br>"}], "value": "Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue."}], "metrics": [{"other": {"content": {"text": "Important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-304", "description": "CWE-304: Missing Critical Step in Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-22T07:07:21.344Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:14:52.319783Z", "id": "CVE-2026-40542", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:15:54.885Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/22/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-22T16:23:59.296Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/22/5"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-22T16:23:59.296Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40542", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:14:52.319783Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:14:06.309Z"}}], "cna": {"title": "Apache HttpClient: SCRAM-SHA-256 mutual authentication bypass may cause the client to accept authentication without proper mutual authentication verification", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Rasmus Moorats"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "Important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HttpClient", "versions": [{"status": "affected", "version": "5.6", "lessThan": "5.6.1", "versionType": "semver"}], "packageName": "org.apache.httpcomponents.client5:httpclient5", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "<code>Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.</code><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-304", "description": "CWE-304: Missing Critical Step in Authentication"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-22T07:07:21.344Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40542", "state": "PUBLISHED", "dateUpdated": "2026-04-22T16:23:59.296Z", "dateReserved": "2026-04-14T09:11:14.268Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-22T07:07:21.344Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue."}], "id": "CVE-2026-40542", "lastModified": "2026-04-22T17:16:43.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-22T08:16:12.780", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/22/5"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-304"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.6,5.6.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache HttpClient", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "httpclient", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-22T08:21:14.766569+00:00", "value": {"mitigation_remediation": ["Upgrade Apache HttpClient to version 5.6.1 or later.", "If upgrading is not immediately possible, disable SCRAM\u2011SHA\u2011256 mutual authentication or enforce additional authentication checks at the application layer.", "Monitor authentication logs for anomalous success messages and validate that mutual authentication is being enforced after the migration."], "summary": {"action": "Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Apache Software Foundation\u2019s Apache HttpClient is affected, specifically version 5.6. The issue is fixed starting with version 5.6.1; earlier releases are vulnerable.", "description_and_impact": "The vulnerability lies in a missing critical step during SCRAM\u2011SHA\u2011256 authentication in Apache HttpClient. Because of this, an attacker can compel the client to accept a SCRAM\u2011SHA\u2011256 authentication exchange without the necessary mutual verification, effectively bypassing the intended security check. This bypass allows an attacker to impersonate a legitimate client or service, potentially compromising confidentiality and integrity of all authenticated sessions that rely on this client.", "risk_and_exploitability": "The vulnerability is an authentication bypass (CWE\u2011304). No EPSS score is available and the issue is not listed in CISA KEV. Because the flaw involves the authentication protocol, the likely attack vector is a network\u2011based request directed at a system that uses HttpClient for SCRAM\u2011SHA\u2011256 mutual authentication. The impact is that an attacker can establish a session that a client will treat as authenticated even though mutual verification did not occur. Although exploit data is limited, the severity of losing authentication control suggests a high risk to any application that relies on this client for secure communications."}}}}, "created": "2026-04-22T08:30:12.486781+00:00", "updated": "2026-04-22T09:30:13.310111+00:00", "vendors": ["apache", "apache$PRODUCT$httpclient"]}