CVE-2026-40542

EUVD-2026-24630
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Affected Products (NVD)
VendorProductVersion
apachehttpclient
5.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
httpcomponents-client
bookworm
4.5.14-1
fixed
bullseye
4.5.13-2
fixed
forky
4.5.14-1
fixed
sid
4.5.14-1
fixed
trixie
4.5.14-1
fixed
Common Weakness Enumeration
References
https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97
http://www.openwall.com/lists/oss-security/2026/04/22/5