CVE-2026-40542

EUVD-2026-24630
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
apacheCNA
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
apachehttpclient
5.6 ≤
𝑥
< 5.6.1
CNA
Debian logo
Debian Releases
Debian Product
Codename
httpcomponents-client
bookworm
4.5.14-1
fixed
bullseye
4.5.13-2
fixed
forky
4.5.14-1
fixed
sid
4.5.14-1
fixed
trixie
4.5.14-1
fixed
Common Weakness Enumeration
References
https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315t1v3o97
http://www.openwall.com/lists/oss-security/2026/04/22/5