Cross-Origin Cookie Leakage in AsyncHttpClient Library by AsyncHttpClient
CVE-2026-45300

7.4HIGH

Key Information:

Vendor
CVE Published:
5 June 2026

What is CVE-2026-45300?

The AsyncHttpClient library in Java has a vulnerability that allows sensitive Cookie headers to be leaked to third-party servers through cross-origin redirects. When the library follows a redirect to a different origin, it improperly handles the Cookie header, allowing attackers to receive session cookies and other sensitive data. The propagatedHeaders() method in Redirect30xInterceptor.java fails to strip Cookie headers, unlike the Authorization and Proxy-Authorization headers. Users of versions prior to 2.15.0 and 3.0.10 are advised to upgrade to the latest releases to mitigate this risk.

Affected Version(s)

async-http-client >= 3.0.0.Beta1, < 3.0.10 < 3.0.0.Beta1, 3.0.10

async-http-client >= 2.0.0, < 2.15.0 < 2.0.0, 2.15.0

References

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.