Authentication Flaw in Apache HttpClient Affects User Security
CVE-2026-40542

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Httpclient
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-40542?

A vulnerability in Apache HttpClient version 5.6 exposes users to potential security risks by allowing the acceptance of SCRAM-SHA-256 authentication without adequate mutual authentication verification. To enhance security and prevent unauthorized access, it is crucial to upgrade to version 5.6.1, which addresses this critical oversight.

Affected Version(s)

Apache HttpClient 5.6 < 5.6.1

References

https://lists.apache.org/thread/tfmgv86xr0z1y096vs3z0y315...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Rasmus Moorats

CVE-2026-40542 Data

JSON