Authorization Header Leakage in AsyncHttpClient Library by AsyncHTTPClient
CVE-2026-40490
What is CVE-2026-40490?
The AsyncHttpClient library enables Java applications to perform asynchronous HTTP requests. However, versions prior to 3.0.9 and 2.14.5 contain a vulnerability where the library forwards Authorization and Proxy-Authorization headers, potentially exposing credentials to arbitrary redirect targets. This occurs regardless of changes in domain, scheme, or port during redirects, leading to possible credential theft under certain conditions such as open redirects or HTTP downgrades. Users are advised to upgrade to the latest versions or configure (stripAuthorizationOnRedirect(true)) to prevent credential exposure, although this setting alone is not sufficient on older versions due to inherent flaws in the Realm handling for authentication. Alternatively, disabling redirect following can mitigate risks while ensuring proper origin checks.
Affected Version(s)
async-http-client >= 3.0.0.Beta1, < 3.0.9 < 3.0.0.Beta1, 3.0.9
async-http-client < 2.14.5 < 2.14.5